vechain-kit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's reference docs (e.g., references/kit-hooks.md and references/kit-components.md) explicitly describe runtime hooks that resolve and fetch user-generated public content — e.g., useNFTImage/useIpfsImage (IPFS gateway resolution, NFT metadata), useGetTextRecords/useVechainDomain (on-chain text records and avatars) — and those fetched values are consumed by the UI and transaction logic (useSendTransaction), so untrusted third-party content can influence app behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for VeChain blockchain integration: it documents wallet connection, smart accounts, transaction-building and sending, hooks named useSendTransaction/useBuildTransaction/useSignMessage, useThor for Thor client access, and references on-chain transaction building, signing, and fee delegation. These are specific crypto/blockchain execution capabilities (wallets, signing, sending transactions), so it grants direct financial execution authority for crypto operations.