w

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill calls MCP tools that read public blockchain data (e.g., mcp__world_w_aptos__aptos_view and related aptos_* commands), which clearly fetch and require the agent to interpret untrusted, user-controlled on-chain content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes blockchain financial operations tied to a named wallet (world_w_aptos) and MCP endpoints that perform money-moving actions: aptos_transfer ("Transfer APT"), aptos_swap ("Swap tokens on DEX"), and aptos_stake ("Stake with validator"). These are specific crypto/blockchain transaction capabilities (including a balance check and approval flow) rather than generic tooling. Therefore it grants direct financial execution authority on the Aptos blockchain.