ton-send

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow explicitly calls resolve_dns for .ton/.t.me domains (see MCP Tools and "Send TON" step 1), meaning the agent ingests external DNS records (untrusted third‑party data) that directly determine transaction recipients and thus can materially influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute blockchain transactions: it exposes send_ton and send_jetton operations, resolves TON DNS, can create/use wallets, confirms amounts and recipients, and polls transaction status. These are specific crypto/Blockchain transfer functions (sign/send transactions), i.e., direct financial execution capability.