8004-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill fetches and parses untrusted registration JSON hosted on public IPFS/Pinata (agentURI/tokenUri) — see SKILL.md and scripts/verify.mjs which uses PINATA_GATEWAY to fetch the tokenUri and inspects card.registrations/card fields to decide verification/next steps — exposing the agent to third-party content that could carry injected instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain blockchain operations: it includes ABI write functions (register, setAgentURI, setMetadata), example code to encode calldata, and concrete commands using a signer to broadcast transactions (viem-local-signer send-contract). The scripts and required env vars (AGENT_PRIVATE_KEY, MONAD_RPC_URL, chain ID) show the agent can sign and send transactions on Monad mainnet (requiring MON for gas) and mint ERC-8004 identity NFTs. This is a specific crypto/blockchain execution capability (wallet signing and broadcasting), which matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.