nano

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly uses public third‑party RPC endpoints (e.g., https://rainstorm.city/api and https://nanoslo.0x.no/proxy) and references external explorer/representative sites (blocklattice.io, nanoticker.org) as required parts of its workflow, so the agent ingests untrusted public content (RPC responses/web pages) that can materially influence balance/receive/send decisions and tool usage.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's fallback explicitly runs remote code at runtime by fetching the npm package via commands like "bunx -y xno-skills@2.8.5" (and pnpm/npx equivalents), which downloads and executes external package code (xno-skills@2.8.5) and therefore presents a supply-chain / remote code execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Nano (XNO) wallet operator with built-in transaction and wallet management APIs. It defines and mandates use of MCP/CLI tools that construct, sign (via OWS), generate PoW, and broadcast transactions: send, receive, payment_request_create, payment_request_receive, payment_request_refund, wallets, and related commands. It also supports creating refunds, executing sends, and managing spending limits (config_set). These are specific crypto financial operations (wallets, signing, sending/receiving funds), not generic tooling.