masumi

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow (SKILL.md and references/agentic-services.md / masumi-payments.md) instructs agents to query the decentralized Registry/Registry Service for agent entries (e.g., GET /registry-entry and GET /payment-information) and then call arbitrary api_endpoint URLs returned in that registry metadata (and example_output_url), meaning the agent will fetch and interpret untrusted, third‑party endpoints/content and use those responses to drive payments and job processing.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs cloning and running remote code from the Masumi Payment Service repository (git clone https://github.com/masumi-network/masumi-payment-service followed by npm install and npm run dev), which is fetched and executed at runtime and is a required dependency for the skill, so it constitutes a high-confidence runtime external code-execution dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform blockchain payments and wallet operations. It describes a Masumi Payment Service (self‑hosted node) that manages wallets, performs payment processing, integrates Cardano smart contracts (escrow), enables Agent-to-Agent autonomous transactions, and exposes Payment Service APIs (e.g., register/deregister with pricing, admin dashboard, automated collection to a collection wallet). The documentation includes fund-wallet setup, testnet/mainnet flows, a concrete curl example for registry/pricing, and a defined payment flow (locking USDM, dispute period, collect payment). These are specific crypto/blockchain payment and wallet capabilities — i.e., direct financial execution.