bounty-scanner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches bounties and full bounty details from the public API at https://bounty.drx4.xyz (see fetchBounties/fetchBountyDetail in bounty-scanner.ts and the SKILL.md/AGENT.md flows), then reads titles/descriptions/tags and action fields (signing_format, endpoint, required_fields) which are used to score matches, decide auto-claims, and drive signing/submission—i.e., untrusted, user-generated third-party content directly influences tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls the runtime API at https://bounty.drx4.xyz/api (BOUNTY_API) to fetch bounty "actions" (including an endpoint and signing_format) which are then used verbatim to instruct the agent/user how to sign and POST — meaning remote content directly controls the agent's instructions at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports claiming bounties using Bitcoin signatures: it reports rewards in "amount_sats", exposes a claim <uuid> command that returns the signing format and endpoint, and requires a BIP-322/BIP-137 BTC signature to complete the claim (then POST to the returned endpoint). The autonomous flow instructs signing with BTC and submitting the claim. This is a specific crypto signing/payment workflow (wallet/signing + submission), not a generic tool, and therefore constitutes direct financial execution capability.