awp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and may install/run off‑chain "worknet" skills from the skills_uri returned by worknets.getSkills (Q6 — e.g., third‑party GitHub repos noted in "Install Worknet Skill"), which are public, user‑provided sources and can change agent behavior or subsequent actions if installed.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime setup step (Case C) clones and executes code from https://github.com/awp-core/awp-wallet.git (git clone ... && bash /tmp/awp-wallet-install/install.sh), which fetches remote code and runs it as a required dependency, meeting the conditions for a high-confidence runtime risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto protocol client with full wallet integration and transaction execution capabilities. It requires an EVM wallet CLI (awp-wallet), details signing flows (EIP-712 domains, ERC‑2612 permits), provides a Node.js signing bridge, and bundles onchain/relay scripts for deposit/stake/allocate/deallocate/withdraw, register worknets, create/execute proposals, vote, claim rewards, etc. It also documents relay and on-chain endpoints that submit transactions and return tx hashes, and enforces transaction confirmation flows. These are specific crypto/financial actions (moving/staking tokens, withdrawing, sending transactions), not generic tooling—so it grants direct financial execution authority.