bsocial

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs CLI usage that takes a WIF (private key) as a positional argument (e.g., bun run ... ...) which encourages copying/pasting private keys into commands and would require the LLM to include secret values verbatim if reproducing those commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's lib/bmap-client.ts explicitly fetches user-generated BSocial content from the public BMAP API (https://bmap-api-production.up.railway.app) and the README/SKILL.md plus multiple scripts (e.g., scripts/read-posts.ts, read-messages.ts, read-likes.ts) show the agent reading and displaying that untrusted social/forum-style content as part of normal workflow, which could carry embedded instructions that influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built around on-chain BSV operations and wallet usage. It exposes wallet signing and transaction-building APIs (createSocialPost uses a WalletSigner; CLI scripts accept WIF and can build/broadcast raw transactions; wallet.getPublicKey / encrypt / decrypt are used), and provides an ingest endpoint to submit rawTx. These are specific crypto/blockchain capabilities (wallet signing and broadcasting transactions), not generic tooling — therefore it grants direct crypto execution authority.