starton

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Proxy requests" section in SKILL.md explicitly lets the agent send requests through Membrane to the Starton API (including NFT metadata and storage/file endpoints that can contain user-provided content), and the agent is expected to read and act on those API responses as part of its workflow, exposing it to untrusted third-party content that could carry injected instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a specific integration for Starton, a blockchain platform. It explicitly exposes Wallet and Transaction functionality, support for deploying smart contracts, and a proxy to call Starton API endpoints. It uses Membrane actions/requests to run operations (including POST/PUT/DELETE) against Starton with authenticated credentials. These capabilities are explicitly designed to interact with crypto/blockchain wallets and transactions — i.e., to sign/send/manage on-chain transactions — which qualifies as direct financial execution.