sbtc-yield-maximizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires unlocking a local wallet via the AIBTC_WALLET_PASSWORD environment variable and provides example commands that embed the plaintext password inline, which would force an agent to accept and echo a secret verbatim into generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches and parses live, public third-party data (e.g., BITFLOW_QUOTES_API, BITFLOW_APP_API, BITFLOW_BINS_API, and the Hiro API at https://api.mainnet.hiro.so as seen in sbtc-yield-maximizer.ts) and explicitly uses those untrusted market/pool reads to decide and drive on-chain actions (the route decision and the run/write flow), so external content can materially influence tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain financial operations: it unlocks a local AIBTC wallet with AIBTC_WALLET_PASSWORD, signs and broadcasts real Zest sBTC supply transactions on mainnet, enforces gas/reserve caps, outputs txid/explorer URLs, and exposes a run command that executes the supply when confirmed. These are concrete crypto wallet/signing and transaction-sending capabilities (not generic tooling), so it grants direct financial execution authority.