bios-deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses untrusted responses from the open BIOS/x402 API (e.g., POST /api/deep-research/start returns a 402 with payment requirements in the response body or PAYMENT-REQUIRED header in Step 1, and GET /api/deep-research/{conversationId} returns SIWX challenges and AI-generated results in Step 4/4a) and those responses are parsed and used to drive follow-up actions (payment signing, retries, and polling), so third-party content directly influences tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Python client runs npm install at runtime to fetch and execute Node packages (e.g., @coinbase/cdp-sdk, @x402/core, @x402/evm, viem) from the npm registry (https://registry.npmjs.org) and then invokes the local Node signer (research_signer.mjs), so remote code is fetched during runtime and executed as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements a crypto payment flow: x402 USDC payments on Base (chain eip155:8453). It details creating an x402 v2 payment payload, EIP-712 signing (transferWithAuthorization / sign_typed_data), encoding a PAYMENT-SIGNATURE header, resubmitting the request to trigger settlement, SIWX polling tied to the paying wallet, and describes on-chain feedback submission (calling giveFeedback() on an ERC-8004 contract with a Base contract address). These are specific, purpose-built crypto payment and on-chain transaction instructions (signing payloads and settling USDC), not generic HTTP or browser automation. Therefore it is designed to move/authorize money on-chain.