troves

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires running "npx starkfi@latest" (fetching and executing the remote npm package starkfi at runtime), which means it fetches and runs remote code the skill depends on, so it is a runtime external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain financial operations: it provides specific commands for depositing and withdrawing tokens into Troves DeFi vault strategies (npx starkfi@latest troves-deposit and troves-withdraw), includes required transaction parameters (amount, token, amount2/token2 for dual-asset), simulation and broadcast flags, and mandates post-transaction verification via tx-status. It requires an active session and sufficient token balance and references blockchain-specific contexts (Starknet, vault strategies, APY, TVL). These are concrete crypto/blockchain transaction capabilities (sending deposits/withdrawals), so it grants direct financial execution authority.