1sat-stack

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and stream public, user-generated on-chain content from api.1sat.app (notably ORDFS content via /content/{outpoint} and owner SSE endpoints like /owner/{owner}/txos) and the included scripts (scripts/query-unified.ts and SKILL.md) show the agent reading inscription metadata and content as part of its workflow, so arbitrary third‑party content could influence decisions and enable indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes blockchain transaction and payment endpoints: it provides UTXO/owner queries to build transactions, BSV21 token balance endpoints, and—critically—broadcasting APIs (POST /arcade/tx and POST /arcade/txs) plus Paymail payment endpoints (POST /v1/bsvalias/receive-beef and POST /v1/bsvalias/receive-transaction). These are specific crypto transaction operations (signing/broadcasting/receiving BSV transactions), i.e., direct financial execution capabilities rather than generic tooling.