cns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md instructs the agent to call mcp__convex-testnet__resolveCNS to resolve CNS names and read returned value/metadata (public, user-controlled on-chain entries), which the agent may interpret and use to select actor addresses and subsequent calls, exposing it to untrusted third-party content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes an on-chain transaction API for registering/updating CNS names (example: (call #9 (cns-update 'my.name *address*))). That is a concrete "send transaction" capability to modify blockchain state (not just a generic resolver). Per the decision logic, the presence of explicit transaction/call functionality for blockchain operations constitutes direct execution authority. Although it's a name registry (not a payment gateway), it is a specific blockchain operation rather than a generic tool, so it meets the criteria for crypto/blockchain execution capability.