wallet-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly describes connecting to arbitrary wallet URLs and that the signer "fetches ICRC-21 consent message" from canisters/wallets (see the End-to-End Lifecycle step 4 and the Consent Message / prompt handler sections), meaning untrusted canister/wallet-provided consent messages are displayed/parsed and directly determine approve/reject and subsequent canister calls, so third-party content can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls IcrcWallet.connect() with a runtime signer URL (e.g., "https://your-wallet.example.com/sign" and the local-dev "http://localhost:5174/sign"), which opens a remote wallet UI that controls permission/consent prompts and executes canister calls, so the external URL is used at runtime and directly controls prompts and execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to integrate wallets and perform ledger operations on the Internet Computer. It documents and exposes concrete token-transfer and approval APIs (e.g., IcpWallet.icrc1Transfer, IcpWallet.icrc2Approve, IcrcWallet.transfer, IcrcWallet.approve, transferFrom), references ledger canister IDs, consent/transaction approval flows, and use cases like token transfers, NFT mint/claim, and deposit/top-up flows. This is not a generic tool; its primary purpose is to execute financial transactions on-chain via wallet signing. Therefore it grants direct financial execution capability.