mine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and Task Acquisition Model) explicitly instructs the agent to pull and crawl public seed URLs from dataset.source_domains (e.g., Wikipedia MediaWiki Random API, arXiv listings, Amazon bestseller pages) and to ingest page content (cleaned_data/structured_data) — including browser-authenticated sites like LinkedIn per docs/BROWSER_SESSION.md — and then use that content in submissions, PoW answers, and validator evaluations, which clearly exposes the agent to untrusted, user-generated third‑party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's mandatory bootstrap step fetches and installs the awp-wallet repository from GitHub (e.g. git clone https://github.com/awp-core/awp-wallet.git or an equivalent install during scripts/bootstrap.sh), which downloads and executes remote code as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly requires and describes on-chain crypto operations: wallet registration "performed via the AWP Skill (on‑chain call)", validator staking (mandatory 10,000 AWP) with an option for "agent stakes" (agent stakes its own AWP and allocates it via the AWP Skill), and guidance about reward addresses and private-key-like secrets (VALIDATOR_PRIVATE_KEY, mnemonics). Those are specific crypto/blockchain actions (staking, on‑chain registration/allocations) rather than generic tooling. Because it directly references and delegates on‑chain staking and wallet operations, it constitutes direct financial execution capability.