base-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). Although the prompt emphasizes secure handling (env vars, no console.log), it includes examples that output/export PRIVATE_KEY and show inline PRIVATE_KEY="0x..." command usage—meaning an agent could be required to emit actual private keys verbatim in its outputs or commands, which creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's basemail-register.js script explicitly fetches and consumes responses from the public API at https://api.basemail.ai (calls to /api/auth/start, /api/auth/verify, and /api/register) and uses those untrusted JSON fields (including the signable "message", auth token, and suggested_email) to decide authentication, signing, and registration actions, so third-party content can materially influence tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet for the Base/Ethereum ecosystem and provides programmatic wallet creation, private key/mnemonic management, RPC provider configuration, balance checks, message signing (SIWE) and, critically, code examples for sending transactions (connectedWallet.sendTransaction + tx.wait). These capabilities (creating/controlling wallets, holding private keys, and issuing blockchain transactions via an RPC) are direct mechanisms to move value on-chain. This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Send Transaction" criteria for Direct Financial Execution.