contract

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs wallet unlocking via a command that passes the password as a CLI argument (--password <password>), which would require the LLM to emit the user's password verbatim when constructing or logging that command, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and interprets public on-chain and web data — e.g., contract.ts uses getHiroApi(...).callReadOnlyFunction to read arbitrary deployed contract state and SKILL.md/AGENT.md direct users to pre-simulate on stxer.xyz — both are public, user-generated sources whose results the agent reads and uses to decide deploy/call actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for interacting with the Stacks blockchain: it can deploy smart contracts (broadcasts smart_contract transactions) and call public contract functions (signs and broadcasts contract_call transactions). It requires an unlocked wallet to perform write operations, supports fee settings, and exposes post-condition formats for STX, fungible tokens, and NFTs (i.e., explicit token transfer conditions). These are direct crypto/blockchain signing and broadcasting capabilities, not generic tooling.