mezo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and act on public third‑party content — e.g., scripts/check-rpc.sh posts to public RPC URLs (references/network-and-env.md lists multiple public RPC endpoints) and references/mezod-and-validator-kit.md shows cloning GitHub repos — so responses from those external sources are read and used to make decisions and drive tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's mezod quickstart explicitly runs a runtime git clone and build sequence—"git clone https://github.com/mezo-org/mezod.git" followed by go mod download / make build / make dev—so the URL https://github.com/mezo-org/mezod.git is a runtime-fetched dependency whose code is compiled/executed locally.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly defines blockchain transaction workflows and wallet interactions that move value: Mezo Passport wallet connection, deploying contracts with a configured signer/provider, Mezo Earn automation (veBTC lock lifecycle, gauge voting, rewards claims, incentive posting), and epoch-aware automation for vote/poke/claim actions. It targets mainnet/testnet, confirms transactions on explorers, and includes node/operator and validator onboarding commands. These are specific crypto/blockchain financial operations (wallets, signing, claims, posting incentives) — not generic tooling — so it grants direct financial execution capability.