web3-poc-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching public third‑party content—e.g., using forge init with GitHub templates (immunefi-team/forge-poc-templates) and forking live chains via public RPC URLs in .env like https://eth.llamarpc.com—which causes the agent/workflow to ingest and act on untrusted, user‑hosted code and blockchain state that can materially influence test behavior and subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations. It contains concrete Web3/DeFi APIs and code patterns to move value: token.approve/transfer/transferFrom, Uniswap/DEX swapExactTokensForTokens, flash loans (IBalancerVault.flashLoan), deposit/withdraw calls on protocols, casting/send examples, RPC fork URLs, and signing helpers (vm.sign, vm.addr). These are specific blockchain wallet/transaction, swap and signing primitives — not generic automation — and therefore constitute Direct Financial Execution capability.