t2000-sentinel

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md instructs the agent to fetch and browse sentinels via commands like "t2000 sentinel list" and "t2000 sentinel info" and explicitly tells the agent to "Study the sentinel's public prompt" (crowdsourced/public prompts), meaning the agent will read untrusted third-party content that it must interpret to craft attacks, creating clear potential for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs blockchain financial actions: it requires an agent wallet with SUI balance, invokes on-chain transactions for attacks (request/settle txs), includes commands to swap tokens (e.g., "t2000 swap 1 USDC SUI", "t2000 swap 10 SUI USDC"), checks balances, and automatically transfers bounty payouts to the agent's t2000 address. These are concrete crypto/blockchain operations (wallet balance, swaps, on-chain transfers), not generic tooling, and thus constitute direct financial execution authority.