icrc-ledger

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill makes runtime calls to public ledger canisters (e.g., the icpLedger actor using canister ID ryjl3-tyaaa-aaaaa-aaaba-cai and methods like icrc1_balance_of, icrc1_fee, icrc1_metadata and error responses) which read public, user-submitted on-chain data and metadata that the workflow uses to decide fees/handle errors, so untrusted third-party content can influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly and specifically designed to perform on-chain token operations. It defines and calls ICRC-1/ICRC-2 ledger APIs (icrc1_transfer, icrc2_approve, icrc2_transfer_from), includes concrete functions to send tokens, approve spenders, and transferFrom other accounts, and references real token canister IDs (ICP, ckBTC, ckETH). Those are direct crypto/blockchain transfer primitives (moving value). Therefore it grants Direct Financial Execution authority.