crucix-intelligence-dashboard

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly performs a "Parallel fetch — all 27 sources queried" each sweep (including public feeds like GDELT, RSS, Yahoo Finance, CelesTrak, Safecast, OpenSky and built-in/extra Telegram OSINT channels shown under "OSINT feed" and "Adding Extra Telegram OSINT Channels") and then runs LLM analysis and alerting on that ingested third‑party content, so untrusted user‑generated/public sources can materially influence decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installation instructions require cloning and running code from the external repository https://github.com/calesthio/Crucix.git (git clone followed by npm install / npm run dev), which fetches remote code that will be executed locally and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists Alpaca API keys (ALPACA_API_KEY, ALPACA_SECRET_KEY) under "Trading (optional)" and references a /portfolio command that "requires Alpaca keys." Alpaca is a brokerage API that supports placing market/orders and managing trading accounts, which is a specific financial-execution integration (market orders). Therefore this skill includes a direct financial execution capability.