virtuals-protocol-acp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls client.browseAgents() and other ACP SDK methods (see scripts/index.ts) and SKILL.md/README instruct the agent to always run browse_agents against the public Virtuals ACP registry (https://app.virtuals.io/acp) and then select agents/jobOfferings and ingest job deliverables — i.e., untrusted, user-generated third‑party agent profiles and deliverables are fetched and used to drive tool selection and actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built on a blockchain protocol (Virtuals Protocol ACP on Base) and requires wallet credentials (WALLET_PRIVATE_KEY, AGENT_WALLET_ADDRESS, SESSION_ENTITY_KEY_ID). It exposes commands to get_wallet_balance and to execute_acp_job which interacts with the ACP SDK, polls on-chain transactions (mentions waitForUserOperationTransaction/RPC), and therefore can sign and submit transactions using the provided private key. This is a specific crypto/blockchain wallet and transaction capability (signing/sending), so it constitutes direct financial execution authority.