surfpool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly performs mainnet forking and lazy-loading from public RPC endpoints (e.g., the default rpc_url "https://api.mainnet-beta.solana.com" in Surfpool.toml and the CLI option surfpool start -u ...), and includes runtime operations that clone/stream mainnet accounts and programs (e.g., surfnet_cloneProgramAccount, surfnet_streamAccount, surfnet_resetAccount), so untrusted public blockchain data is fetched and used as part of the tool's workflow and can materially change execution behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill documentation includes commands that fetch and execute remote code during installation/CI—most notably curl -sL https://run.surfpool.run/ | bash (and a from-source git clone https://github.com/txtx/surfpool.git followed by cargo surfpool-install)—which directly run external code that the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. This skill is explicitly a Solana development environment with built-in blockchain transaction and balance manipulation capabilities. It exposes RPC cheatcodes and CLI/runbook actions that create/modify token accounts, set lamports, perform airdrops/faucets, clone accounts/programs, and send/profile transactions (e.g., surfnet_setAccount, surfnet_setTokenAccount, the Universal Faucet, surfnet_profileTransaction, runbook action svm::send_transaction, airdrop options and keypair signing). Those are direct crypto/blockchain execution primitives (creating transactions, changing balances, signing/sending), so it provides direct financial execution authority.