plugins

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's documentation and API explicitly allow installing plugins from a registry and arbitrary URLs (e.g., SKILL.md shows registry 'https://plugins.clodds.ai' and installing from 'https://github.com/.../plugin.zip'), and plugin code can register commands, tools, and message hooks (see "Create Custom Plugin" and package.json permissions), so third‑party, user-provided plugin code would be loaded and can influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The plugin manager explicitly lists a "trading" permission described as "Trading APIs" and exposes mechanisms to register tools/execute code and make network requests (plugins can request network + trading permissions and register tools with execute handlers). Although the skill is a general plugin manager, the presence of a dedicated "trading" permission (i.e., explicit support for trading APIs/market operations) meets the criteria for Direct Financial Execution (market orders / trading APIs). Therefore it can be used to execute financial transactions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill enables installing and running arbitrary plugins (including installing from URLs or local paths) and explicitly exposes an 'exec' permission plus local storage, which can be used to modify files or execute shell commands and thus compromise the host system.