aelf-skills-hub

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This hub explicitly downloads and parses third‑party GitHub repos and npm packages (see scripts/bootstrap.ts downloadViaGithub / downloadViaNpm and the README/AI Quick Prompt advising ./bootstrap.sh --source github), and it reads SKILL.md, openclaw.json and skills-catalog.json via catalog generation and health checks to drive routing and install commands — meaning untrusted repository content can directly influence the agent's tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The bootstrap and install flow downloads and installs remote skill packages (via git clone and npm pack) and may execute their install/setup commands at runtime — for example the repository URL https://github.com/AElfProject/aelf-skills.git is referenced and the code (or other GitHub/npm repo URLs listed in the catalog) can be cloned/packed and then have install scripts run locally, which constitutes fetching and executing remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The hub explicitly catalogs and routes to skills that perform cryptocurrency financial actions: Portkey CA/EOA wallets with "transfer", create/import and signing functionality; Awaken DEX with "swap" and liquidity actions; eForest marketplace with "trade"/listing; and an aelf-node skill that can "contract view/send" and handle txs. These are specific crypto/blockchain execution capabilities (wallets, swaps, signing, sending transactions), so this grants direct financial execution authority.