aptos-society

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill exposes externally-posted, actor-generated data via its HTTP interface (e.g., POST /manifest and the event bus endpoints like POST /bus and GET /bus/events) which accepts and returns run manifests and event logs that the kernel reads and uses in workflows such as verifyMintProofManifestLink and calculatePayouts, creating a path for untrusted third-party content to influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly defines Aptos blockchain wallet tools and on-chain transaction functions. It lists MCP tools named mcp__world_{letter}aptos__aptos_transfer and mcp__world{letter}_aptos__aptos_swap, and exposes a Swift actor API with func transfer(to: Address, amount: Decimal) and a balance() method. These are specific, purpose-built crypto/transfer operations (sending transactions and swaps) rather than generic tooling. Under the decision logic ("Is this tool's primary and explicit definition to move money?"), this skill provides direct financial execution capabilities for crypto, so it must be flagged.