superfluid

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs calling permissionless, third-party macro contracts and public APIs/subgraphs (e.g., MacroForwarder.buildBatchOperations and runMacro in references/guides/macro-forwarders.md, plus runtime scripts like scripts/balance.mjs that call Super API/subgraphs), which means the agent is expected to ingest untrusted, publicly-hosted contract/API output that can directly determine executable batch operations and therefore influence subsequent tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with the Superfluid on‑chain protocol and its contracts (ABIs, contract addresses, forwarders, MacroForwarder, Host.callAgreement()/batchCall, CFA/GDA forwarders, SuperToken upgrade/downgrade, SuperTokenV1Library methods like token.flow, create/update/delete streams, distribute, stake/unstake, batch liquidation, EIP‑712 signed macro patterns, etc.). It documents concrete transaction‑calling APIs, contract addresses, and convenience forwarder/macro methods for composing and sending on‑chain transfers and streaming payments. These are specific blockchain financial execution capabilities (creating/updating/deleting streams, distributing tokens, wrapping/unwrapping, running macros to execute transactions atomically), not generic tooling. Therefore it grants direct financial execution authority.