signals

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and parses arbitrary public RSS feeds (checkRSS: fetch(source.config.feedUrl)), pulls Twitter posts via a Nitter RSS endpoint (checkTwitter: fetch(${nitter}/${username}/rss)), and accepts webhook payloads (SKILL.md webhook POST), and that untrusted, user-generated content is analyzed in processSignal to decide and execute automated trades, so third‑party content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). At runtime this skill fetches external feeds (e.g., the hard-coded Nitter instance https://nitter.privacydev.net and arbitrary RSS feed URLs passed to /signal add rss) and uses the fetched content to decide and execute trades, so remote content directly controls agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly automates crypto trades: it monitors RSS/Twitter/webhook signals "to trigger automatic trades", has commands to configure trade amount and slippage, filter rules that map signals to buy/sell, auto-detect token mint addresses, and lists support for crypto DEX routing (Raydium, Jupiter, Pump.fun). These are specific crypto trading/execution capabilities (swaps/orders), not generic tooling, so it grants direct financial execution authority.