surfpool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the skill explicitly lazy‑forks and fetches live mainnet state from public RPC endpoints (e.g., rpc_url = "https://api.mainnet-beta.solana.com" in Surfpool.toml and surfpool start -u), and provides runtime methods that clone or stream arbitrary mainnet accounts/programs (surfnet_cloneProgramAccount, surfnet_streamAccount, pre-clone/stream config), so the agent ingests untrusted, public third‑party content as part of its workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. This skill is explicitly a Solana development environment with built-in blockchain transaction and balance manipulation capabilities. It exposes RPC cheatcodes and CLI/runbook actions that create/modify token accounts, set lamports, perform airdrops/faucets, clone accounts/programs, and send/profile transactions (e.g., surfnet_setAccount, surfnet_setTokenAccount, the Universal Faucet, surfnet_profileTransaction, runbook action svm::send_transaction, airdrop options and keypair signing). Those are direct crypto/blockchain execution primitives (creating transactions, changing balances, signing/sending), so it provides direct financial execution authority.