nostr-dvms

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow and examples explicitly instruct the agent/service to fetch and process arbitrary public URLs (i.e., ["i","","url"] with fetch(...) in the example) and to subscribe/fetch Nostr events from public relays (wss://...), which are untrusted, user-generated third‑party sources that the agent will read and act on as part of job processing and chaining.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime explicitly fetches arbitrary HTTP(S) input URLs (e.g., fetch(inputTag[1]) such as https://example.com/article) and then injects that fetched content into the summarization flow, meaning external content can directly control model input at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill explicitly defines and requires payment handling as part of its core protocol: it specifies "bid", "amount", and "" tags, describes a payment-required workflow where the customer must "pay the bolt11 invoice OR zap the result event", and the example even calls generateBolt11(1000). "bolt11" and "zap" are Lightning Network (crypto) payment mechanisms. These are specific financial execution primitives (creating invoices and accepting/triggering Lightning payments), not generic APIs or browser automation. Therefore it grants direct financial execution capability.