viral-game

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The only runtime outsider free-text ingestion path is Form B (tweet URL as game concept): the skill fetches tweet text from a third-party API (fetch-tweet → WebFetch) and then uses it as creative inspiration, which the agent may pass into LLM context to generate the game concept; this is outsider-authored free text.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements monetization flows: it registers games via the Play.fun API (POST https://api.play.fun/games), retrieves and embeds the user's Play.fun public API key, adds the Play.fun browser SDK, wires score-to-points logic (sdk.addPoints / sdk.savePoints), and references "wallet connect" / token rewards ("launch a playcoin") for players. These are specific, payment/crypto-related integration steps (game registration, SDK use, and wallet connect) rather than generic tooling, so the skill grants direct financial/monetization execution capability.