cadence

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs the agent to use MCP tools (search_docs, get_doc, browse_docs) and LLM endpoints that fetch and read public third‑party content from cadence-lang.org (e.g., https://cadence-lang.org/llms.txt, https://cadence-lang.org/llms-full.txt) and a public MCP server (https://cadence-mcp.up.railway.app/mcp) and GitHub links, meaning the agent will ingest and act on open web content that could contain instructions influencing its next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs AI tools to use external LLM resources (https://cadence-lang.org/llms.txt and https://cadence-lang.org/llms-full.txt) and an MCP server (https://cadence-mcp.up.railway.app/mcp) that are fetched at runtime to supply documentation/context to the model, so remote content can directly be injected into prompts and influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Cadence/Flow smart-contract development reference that includes concrete, purpose-built APIs and examples for moving cryptocurrency and tokens: Vault/withdraw, deposit, token minting, transactions that withdraw from a signer's vault and deposit to a receiver, capability issuance for access to balances, and account signing/prepare phases. These are specific blockchain/crypto transaction primitives (wallet-like operations and on-chain transfers), so it grants direct financial execution capability.