zkvm-evaluator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly loads and runs untrusted verification programs and deliverables from public IPFS references (e.g., "programRef: QmXyz..." and "deliverableRef: QmAbc..." in SKILL.md) and uses the program's stdout/exit code to decide on-chain actions, so third-party content can directly influence tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a tool "zkvm_evaluate_job" that runs a verification program and "settle[s] job on-chain." The example flow shows completing a job resulting in "funds released to Provider." This is a purpose-built on-chain escrow/settlement capability for ERC-8183 jobs — i.e., an explicit crypto/blockchain financial execution (releasing funds).