web3-case-study-role-misconfig

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to query public third‑party sources (e.g., "cast call <REWARDS_DISTRIBUTOR_ADDR> ...", "Etherscan → Events", and "forge test --fork-url $MAINNET_RPC_URL") and to interpret those on‑chain / Etherscan results as verification for whether to submit a finding, exposing the agent to untrusted public content that can influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about blockchain financial contracts and includes concrete crypto transaction calls and tooling: it references DEX swaps (dex.exactInputSingle), lendingProtocol.supply/withdraw, and a Solidity PoC that calls contract functions (claimFor), plus CLI "cast call" and "forge test" commands that interact with deployed contracts on-chain. These are specific crypto/blockchain operations (swaps/transfers/contract calls), not generic tooling, so it provides direct crypto execution capability.