alva

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and reasons over open/public third-party content — e.g., the "Content Search" / unified_search runtime modules (news, Twitter/X, Reddit, YouTube, web/URL scraping) and feed_widgets (getTwitterFeed/getTwitterBackfill) plus examples using require("net/http") and ADK tools to fetch external URLs — and those sources are user-generated/untrusted and are described as inputs the agent must read and synthesize to drive playbook logic, signals, and agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires fetching a remote skill blueprint at runtime via the skillhub call (alva skillhub file / template.md), and that fetched blueprint is treated as authoritative guidance that directly controls the agent's planning and build instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a finance platform with a trading surface. It documents an Altra trading engine (backtesting + continuous live paper trading), and the CLI includes a trading command for accounts, portfolio, orders, signals and mentions an execute flow / --signal schema. These are specific trading/order capabilities (market orders / portfolio/orders/signal execution), not generic HTTP or browser tools. Therefore it grants direct financial execution authority (at least for trading/order operations, including live paper trading and the documented order APIs).