agenta

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs passing API keys and secrets directly on the CLI (e.g., --api-key, --api-secret) and explicitly directs the agent to display API keys from command output, which requires handling and emitting secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's x402 workflow (in SKILL.md under "x402 — Agent-to-Agent Payments") explicitly directs the agent to run commands like "agenta sub x402 discover " and "agenta sub x402 fetch https://..." which fetch arbitrary public URLs, return the response body, and can automatically pay—meaning untrusted third-party content is ingested and can materially influence payments and agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires running remote installer scripts (curl -fsSL https://agentaos.ai/install | bash and curl -fsSL https://fnm.vercel.app/install | bash) during setup, which fetch and execute remote code at runtime and are presented as required installation steps, so they constitute high-risk external dependencies.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and primarily a crypto/payment execution tool. It exposes commands to create payment checkout sessions (agenta pay), generate machine-readable payment endpoints (x402Url), manage agent sub-accounts and wallets (agenta sub create/import/switch/balance), and send on-chain transactions (agenta sub send, x402 fetch which automatically pays). It also includes signing/policy controls and threshold signing for autonomous spending. Most commands are AI-executable (login is the only human-interactive step), and the prompt mandates using these CLI commands for payments and transfers. This is specifically designed to move money on-chain and accept payments—i.e., direct financial execution.