helixa

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scripts and SKILL.md explicitly fetch public, user-generated agent profiles and narratives from the Helixa API (e.g., https://api.helixa.xyz/api/v2/agent/:id and /api/v2/agents as used by scripts/helixa-agent.sh, helixa-agents.sh, helixa-get.sh), and those API responses (names, narratives, traits) are untrusted content that the agent reads and which can materially influence actions like cred-based decisions, mint/update/verify workflows (the docs even warn that API responses contain user-generated content and may contain prompt-injection attempts).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly describes on-chain payment and transaction capabilities. It includes a direct contract address and a concrete "Human Mint" example using cast send with --value 0.0025ether and --private-key $PRIVATE_KEY. It documents x402 micropayments ($1 USDC) and shows integrating the x402 SDK (npm packages and wrapFetchWithPayment) to perform paid API calls. It also instructs signing messages and using wallet private keys (SIWA) and RPC endpoints. These are specific crypto/blockchain transaction tools to move funds/execute transactions, so this is direct financial execution.