acton

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md "Source of truth" explicitly tells the agent to use and consult public hosted docs (e.g. https://ton-blockchain.github.io/acton/docs/welcome/ and https://github.com/ton-blockchain/acton-contracts), so the agent is expected to fetch and interpret untrusted third-party web content which can change CLI behavior and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill repeatedly instructs running curl -LsSf https://github.com/ton-blockchain/acton/releases/latest/download/acton-installer.sh | sh at runtime to install Acton, which fetches and immediately executes remote code and is a required dependency for the workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes blockchain wallet and transaction capabilities: it documents wallet commands (acton wallet new/import/export-mnemonic/sign/remove/airdrop) and guidance to store mnemonics and sign transactions. It also documents broadcasting scripts to networks via --net testnet|mainnet (i.e., sending real transactions) and warns about acting on mainnet. These are specific crypto/blockchain execution functions (wallet management, signing, and broadcasting transactions), which qualify as direct financial execution authority.