open-persona

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and search external community repositories (e.g., "Recommending Skills" — npx clawhub@latest search and fetching https://skills.sh/api/search?q=<keywords>) and to treat install/evolution.channels entries that can be arbitrary URLs (e.g., "install": "url:https://evomap.ai/skill.md") as soft references, meaning the agent will ingest and act on untrusted third‑party/user‑generated content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly allows runtime-activated install entries that fetch external SKILL.md content which can directly control persona prompts/instructions (example: url:https://evomap.ai/skill.md), so this external URL represents a runtime dependency that can change agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes an "economy" faculty that provides a real financial ledger backed by AgentBooks and CLI/manifest integration for ACN registration that includes a wallet_address and an onchain.erc8004 section with a registration command (npx @agentplanet/acn register-onchain). These are concrete, finance-specific features tied to blockchain wallets/on-chain identity and a real ledger (not generic tooling). Because it exposes crypto-related wallet/address and on-chain registration capabilities (i.e., explicit blockchain/crypto functionality), it meets the criteria for Direct Financial Execution risk.