erc-8004

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill and SDK explicitly auto-fetch and parse arbitrary agent registration files and endpoints (e.g., agent.setMCP(..., true) / agent.setA2A(..., true), EndpointCrawler, and IPFS/HTTPS agentURI/feedback files as described in SKILL.md and sdk-typescript.md), which are untrusted public web/IPFS content that the agent reads and uses to extract tools/prompts/metadata that can materially influence behavior, enabling indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain transaction and wallet functionality. The TypeScript SDK examples require a privateKey and rpcUrl, create and register agents on-chain (agent.registerIPFS() that mints an NFT and returns a tx you wait to confirm), and show tx-based feedback submission (giveFeedback with a tx and proofOfPayment fields). The registration format includes an "agentWallet" (eip155:...) and mentions EIP-712/ERC-1271 and x402 payment protocol support. These are concrete crypto/blockchain wallet and signing operations (sending transactions, signing), which qualifies as direct financial execution capability under the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion.