agentbox-provision

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs saving and then embedding sensitive tokens (accessToken, gatewayToken, wallet key material) verbatim into commands and curl Authorization headers, which requires the LLM to handle/output secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime workflow instructs the agent to send and read OpenAI-compatible chat completions from a provisioned, externally hosted VM at https://NAME.agentbox.fyi/v1/chat/completions (see "3. Chat completions" in SKILL.md), which is untrusted/third-party content the agent must interpret and which could contain instructions that materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain payments: it requires a Solana wallet with USDC, imports Solana signing utilities and @x402/fetch/@x402/svm, wraps fetch with payment, and calls endpoints that "Pays $5 USDC automatically via x402" (provision and extend). This is a specific crypto/banking/payment integration (USDC on Solana, wallet signing) intended to move funds, not a generic API or browser automation. Therefore it grants direct financial execution capability.