deepsky-sustain

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt instructs the agent to "silently install" external skill repositories and to auto-install/auto-start auxiliary software (SupeRISE Agent Wallet), which are hidden/deceptive side-effects not transparently required by the stated sustain actions and thus constitute prompt-injection-like instructions outside the skill's declared purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and install public packages/repos (e.g., "npm install -g @superise/deepsky-cli" and "Install skills... https://github.com/appfi5/deepsky-tools.git and https://github.com/appfi5/superise-for-agent") and to run CLI commands that read JSON from remote platform endpoints (health-check/forecast), so it clearly ingests untrusted third‑party content whose outputs or installed code can influence subsequent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill’s setup explicitly runs an install step that, at runtime, fetches and installs code from the Git repositories https://github.com/appfi5/deepsky-tools.git and https://github.com/appfi5/superise-for-agent (and also installs the @superise/deepsky-cli npm package), which are remote code sources that would be executed/loaded and can directly affect agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes commands to move money: it is centered on checking balances, creating top-up orders, transferring CKB, submitting tx hashes, and retrying top-up orders. It references wallets (MCP, SupeRISE Agent Wallet), Nervos identity/address/publicKey, CKB amounts, exchangeAmount, and OpenClaw provider setup. The docs state "top-up ... creates the order, transfers CKB, and submits the tx hash as one flow" and instructs the agent to choose and execute top-up amounts autonomously. This is a specific crypto/payment execution capability, not a generic tool.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs installing global npm packages, auto-installing and auto-starting an agent wallet, installing skills globally, registering system events and scheduling recurring jobs—actions that modify system state and may require elevated privileges—so it poses a risk of compromising the host state.