kya

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill repeatedly calls the public KYA API (e.g., https://kya.link and https://api.awp.sh) and its runtime contract/SDK/ SKILL.md explicitly requires the agent to read and act on server-provided JSON fields like _internal.next_command/_internal.next_action (and magic handoff URLs), so untrusted third-party responses can directly determine the agent's next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The repo's install/bootstrap scripts fetch and execute remote installer/binaries at runtime (notably https://raw.githubusercontent.com/awp-worknet/kya-skill/main/install.sh which in turn downloads the release asset via https://github.com/awp-worknet/kya-skill/releases/latest/download/), so required external content is retrieved and executed during setup.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to perform blockchain financial actions. It directs EIP-712 signing and relayer-submitted transactions (AWPRegistry.SetRecipient, GrantDelegate) and supports a delegated-staking flow (kya-agent set-recipient --amount → delegated_staking_request) that returns tx_hashes and matched allocation ids. Subcommands like set-recipient, grant-delegate, sign, sign-action and the documentation about relayer broadcasts, staking amounts (AWP), and per-agent caps make its primary purpose to move or authorize on-chain assets. This matches the crypto/blockchain category in the core rule.