assets

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls public Horizon endpoints (e.g., server.loadAccount, server.assets(), the friendbot fetch examples) and references fetching/using third-party stellar.toml files (SEP-0001), so it ingests untrusted, user-generated account and asset metadata that the agent reads and uses to decide trustlines, authorizations, and transfers.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about issuing, transferring, and managing Stellar assets and SAC tokens. It contains concrete crypto/financial APIs and operations (StellarSdk.Operation.payment, changeTrust, setOptions, setTrustLineFlags, Operation.clawback, server.submitTransaction, keypair creation/signing, SAC transfer functions and contract deploy) that create accounts, sign transactions, move tokens, and perform clawbacks/authorization. This is a specific blockchain/crypto financial-execution capability, not a generic tool, so it grants direct financial execution authority.