atxp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly ingests untrusted third-party content — e.g., web pages via npx atxp@latest search, X/Twitter via npx atxp@latest x, inbound email/SMS/call transcripts via email read, phone read-sms, phone read-call, and attachments — and these results are intended to be read and can drive follow-up actions (email/SMS/calls/funded API calls), creating a clear prompt-injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs npx atxp@latest, which downloads and executes the atxp npm package from the npm registry (https://registry.npmjs.org/atxp / https://www.npmjs.com/package/atxp) at runtime, so external code is fetched and executed and is required for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a funded-agent/wallet layer: it creates agent wallets, exposes a balance, and provides funding options that include a Stripe payment link and USDC deposit addresses. Commands reference funding (npx atxp@latest fund, fund --amount), balance and transactions, and numerous paid actions that spend the wallet (email send, phone send-sms, LLM calls, image/video/music generation, phone register, etc.). The docs also call out Stripe and USDC (crypto) funding and state that the ATXP_CONNECTION credential grants full access to the agent's wallet. Because the skill is purpose-built to accept payments and let agents spend funds (including explicit Stripe and crypto deposit flows and wallet credentials), it qualifies as direct financial execution capability.