centrifuge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflow instructs the agent to connect to the external Centrifuge platform via the Membrane CLI (e.g., "membrane connect", "membrane action list", "membrane action run" in SKILL.md), which fetches and returns data (on-chain records, invoices, etc.) from a third-party source that the agent is expected to read and act on, exposing it to untrusted user-generated content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Centrifuge, a DeFi/on-chain asset financing platform, and exposes domain-specific concepts like Pool, Transaction, and Invoice and references "on-chain asset financing" and tokenization. It instructs using the Membrane CLI to create connections and to discover and run Membrane "actions" (membrane action run ...) against a Centrifuge connection. Those actions are purpose-built integrations and can include transaction-executing operations on the Centrifuge platform (i.e., on-chain transactions, invoices, asset financing flows). This is not a generic tool invocation; it is a targeted integration for a blockchain financial platform and therefore enables direct financial execution (sending transactions, managing on-chain assets) via pre-built actions.