vechain-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs using external MCP servers and public web endpoints (see references/resources.md and SKILL.md which call out @vechain/mcp-server, the VeChain Kit docs MCP endpoint, and MCP tools like getB3TRProposalComments/getB3TRProposalComments) to fetch live docs, on-chain data and user-generated proposal comments, which the agent is expected to read and use to drive decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running the MCP server via "npx -y @vechain/mcp-server@latest" (see https://www.npmjs.com/package/@vechain/mcp-server), which fetches and executes remote code at runtime to provide MCP endpoints that the agent uses to load external docs/data into its prompt/context—this is a runtime-executed external dependency that can directly control the agent's inputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about building and sending VeChain blockchain transactions and managing on-chain token/staking/governance actions. It references VeChain SDKs and VeChain Kit hooks (e.g., useSendTransaction), transaction building/sending/confirmation, fee delegation (VIP-191), multi-clause transactions, VET/VTHO token handling, staking/StarGate and DAO reward flows, and backend SDKs for on-chain transaction construction. These are specific crypto/blockchain execution capabilities (wallet signing/transactions, token transfers, staking), not generic tooling, so the skill grants direct financial execution authority.