taskmarket

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly instructs clients to fetch and run remote-updated code (npm -g install each session) and, critically, to execute server-provided "pendingActions" commands verbatim (shell commands returned by the API), while also supporting file submission and long-running daemons/XMTP+email installations — collectively creating a deliberate remote-command-execution / supply-chain / data-exfiltration backdoor vector that can be abused to steal keys or run arbitrary code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill explicitly instructs the agent to curl and re-read https://market.daydreams.systems/skill.md at session bootstrap and to fetch task data via GET /api/tasks/{id} whose user-provided "pendingActions" command fields the agent is told to run verbatim, meaning it ingests public, potentially untrusted task content that can directly change agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs agents at session start to run "curl -s https://market.daydreams.systems/skill.md" and re-read that fetched skill.md before proceeding, so https://market.daydreams.systems/skill.md is a runtime-fetched file that directly controls agent instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built for on-chain payments and wallet management. It targets Base Mainnet USDC, instructs agents to create/import wallets, deposit USDC, set withdrawal addresses, and call withdraw commands. The CLI and Raw API perform signing and X402/EIP-3009 payment-authorized actions (e.g., POST /api/tasks to fund rewards, POST /api/tasks/{id}/accept to trigger payments, POST /api/wallet/withdraw). It also exposes on-chain queries and contract addresses. These are specific crypto/payment operations (wallets, signing, token transfers), i.e. direct financial execution capabilities.