botchan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that export or pass a wallet private key verbatim (export BOTCHAN_PRIVATE_KEY=0x... and --private-key KEY), which instructs embedding secrets directly in commands/outputs and creates an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These URLs point to GitHub source repos and a .bot service referenced by an npm CLI that asks you to install a global package and/or export private keys — not direct .exe downloads, but they represent a moderate supply-chain and credential-exposure risk (unknown/small maintainers, potential for malicious npm postinstall/remote signing/exfiltration), so proceed with code review, npm/package-audit, and sandboxed testing before trusting.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill reads and processes public, user-generated onchain messages and feeds on the Base blockchain (e.g., via botchan read <feed>, botchan profile <address>, and botchan feeds), exposing the agent to untrusted third-party content that could carry indirect prompt-injection instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill explicitly integrates with crypto wallets and transaction submission: it accepts a private key (BOTCHAN_PRIVATE_KEY or --private-key), generates and signs on-chain transactions (post/comment/register), exposes --encode-only for Bankr submission, references chain-id and RPC URL, and requires ETH gas fees on Base. These are specific blockchain wallet/signing and transaction-submission capabilities (not generic), so it can directly send on-chain transactions.