atxp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly lists commands that fetch and return external, untrusted user-generated content (e.g., npx atxp@latest search for web pages, npx atxp@latest x for X/Twitter posts, npx atxp@latest email read and phone read-sms for inbound messages) which the agent is expected to read and which can materially influence subsequent actions (sending emails/SMS, making paid calls, spending wallet funds), creating a clear indirect prompt-injection vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs npx atxp@latest which fetches and executes the atxp npm package from the npm registry (https://www.npmjs.com/package/atxp) (source: https://github.com/atxp-dev/cli), so remote code is downloaded and executed at runtime and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides an agent-owned wallet and commands to fund and spend that wallet. It exposes payment gateways and crypto deposit options (Stripe payment link and USDC deposit addresses on Base and Solana via the fund command), wallet/balance/transactions management (balance, transactions, fund --amount), and paid commands that debit the agent balance (email send, phone send-sms/call, LLM gateway billed from ATXP credits, image/video/music generation, etc.). The credential ATXP_CONNECTION grants full access to the agent's wallet. These are specific, built-in financial operations (payment gateway + crypto funding + spending from a wallet), not generic tools, so this skill grants direct financial execution capability.