ton-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documented CLI tools (e.g., get_transactions, get_nft / get_nfts_by_address, get_jetton_info, resolve_dns and related examples) clearly fetch and return public on-chain and DNS data (often via third-party services like Toncenter), which is untrusted/user-generated content that the agent is expected to read as JSON and could materially influence follow-up actions such as send_ton; therefore it exposes the agent to indirect prompt-injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes the remote npm package via "npx @ton/mcp@alpha" at runtime, which downloads and executes code from the npm registry as a required dependency, so it performs remote code execution during runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a TON wallet/CLI exposing blockchain financial operations: it provides send_ton, send_jetton, send_nft, send_raw_transaction and swap-related tools. It also accepts MNEMONIC or PRIVATE_KEY environment variables and wallet selectors for signing and sending transactions. These are specific crypto wallet and transaction-sending capabilities (sending funds, tokens, NFTs, and raw transactions), which constitute direct financial execution authority.