nostr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly queries public, user-generated Nostr relays (e.g., DEFAULT_RELAYS wss://relay.damus.io and wss://nos.lol in nostr.ts read-feed/search-tags/get-profile) and fetches aibtc.news signals from https://1btc-news-api.p-d07.workers.dev/takes/ (amplify-signal), then uses that untrusted content to compose posts and merge profile data—meaning third-party content is read and can directly change agent actions like publishing events.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The amplify-signal subcommand performs a runtime fetch from https://1btc-news-api.p-d07.workers.dev/takes/${signalId} and directly uses the returned thesis/target_claim as the note content that the agent posts, so remote content controls the agent's output.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly derives a Nostr private key from a BIP-84 BTC wallet mnemonic/derivation path, requires an "unlocked wallet" for write operations, and performs event signing using the derived private key. These are concrete wallet/key derivation and signing capabilities tied to a user's Bitcoin HD wallet (not merely generic HTTP or browser automation). Because it exposes crypto wallet key derivation and signing (crypto/blockchain wallet functionality), it meets the "Direct Financial Execution" criterion.