bsocial

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs CLI usage that requires passing a WIF (wallet private key) as a direct command-line argument (e.g., bun run ... ), which forces the agent/user to include secret private keys verbatim in commands/outputs, creating high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's read operations (lib/bmap-client.ts using https://bmap-api-production.up.railway.app and the scripts like scripts/read-posts.ts and scripts/read-messages.ts) fetch and parse public BSocial posts/messages (user-generated content) as part of normal workflow, which the agent is expected to read and could use to decide or trigger follow-up social actions, exposing it to possible indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain blockchain actions and includes wallet signing and transaction broadcasting. Evidence:
• The recommended createSocialPost action "Signs with the wallet's BAP identity key via AIP (using WalletSigner...)" and returns { txid, rawtx, error }.
• CLI scripts accept a WIF private key and provide options to build and broadcast transactions (e.g., create-post, create-like, create-reply), with a --dry-run to build without broadcasting, implying normal operation broadcasts the tx.
• Dependencies include @bsv/sdk and signing/transaction building libraries, and an /ingest endpoint that accepts rawTx. These are concrete crypto operations (wallet signing and sending transactions). Per the rule (Crypto/Blockchain: Wallets, Signing), this is direct financial execution capability.