metaplex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and parse arbitrary off-chain registration/metadata URLs and external APIs (e.g., sdk-agent.md "Read Registration Document" uses fetch(agentIdentity.uri) and the CLI/SDK workflows accept arbitrary https/arweave URIs and DAS API endpoints for proofs), so untrusted third-party content is ingested and can influence subsequent tool use or decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes blockchain transaction and wallet management capabilities: creating and transferring fungible tokens and NFTs, executing with asset-signer wallets/PDAs, agent registry with on-chain identity and delegation, Genesis token launches (including deposit/fund flows), and CLI/SDK commands like genesis launch create, transfer fungible tokens, and Execute (asset-signer wallets). These are direct crypto/financial execution primitives (wallets, signing, moving funds/tokens), not generic tooling, so it grants direct financial execution authority.