charms

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly uses charms wallet list and charms tx show-spell to read and decode on-chain transactions (public, user-generated blockchain data) as part of spell inspection and wallet flows, and those decoded spell/transaction contents are used to validate/prove and gate subsequent actions like proving/signing/submission — which could allow untrusted third-party data to influence agent decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets Bitcoin blockchain operations: it requires a charms CLI and bitcoin-cli, describes wallet inventory and wallet/server integration, and provides commands to build, prove, sign/prepare, inspect, and submit transactions (e.g., charms spell prove with funding UTXO and change address, charms tx show-spell, and guidance to submit package/commit/spell transactions). These are specific crypto/wallet/transaction signing and submission capabilities — i.e., direct financial execution on a blockchain.