cadence

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to use a remote MCP server (https://cadence-mcp.up.railway.app/mcp) and tools like search_docs/get_doc/browse_docs to fetch public docs/LLM dumps from cadence-lang.org and public GitHub repos, which the agent is expected to read and which can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs agents to add and use a remote MCP server (https://cadence-mcp.up.railway.app/mcp) and to fetch LLM-optimized docs (e.g., https://cadence-lang.org/llms.txt and https://cadence-lang.org/llms-full.txt) at runtime — these endpoints are invoked by the skill to provide model-context docs and remote tooling (code checks/type inspection), so fetched content can directly control prompts and agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a Cadence/Flow smart-contract reference whose primary purpose is writing and executing on-chain token logic. It contains explicit, domain-specific APIs and examples that move value: Vault.deposit/withdraw, transaction examples that withdraw an amount and deposit to a recipient, createEmptyVault, mint & transfer NFT transactions, capability issuance and publishing, and inbox capability transfer. These are concrete blockchain asset-transfer primitives (wallet/vault operations and on-chain transfers), not generic tooling, so it provides direct financial execution capability.