droyd

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows passing an API key as a direct command-line argument (scripts/droyd-setup.sh "YOUR_API_KEY"), which requires embedding the secret verbatim in generated commands and poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public, user-generated content (posts, tweets, news, YouTube) via the /api/v1/search and related endpoints (see references/search.md and scripts/droyd-search.sh) and uses that semantic analysis and recent content in workflows like project filtering, agent chat, scheduled research/trading tasks, and autonomous trade decisions (see references/project-filter.md, references/tasks.md, scripts/droyd-filter.sh), so untrusted third‑party content can be read and materially influence tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency financial operations. The documentation defines autonomous trading and direct trade execution (e.g., scripts/droyd-trade-open.sh with "market_buy", "limit_order", "stop_loss", "take_profit", custom legs), position management (scripts/droyd-positions.sh, scripts/droyd-trade-manage.sh), buying/selling agent tokens (scripts/droyd-agent-token-trade.sh), launching tokens (scripts/droyd-agent-token-launch.sh on a bonding curve), claiming creator/platform fees, and integration with on-chain trading infrastructure (Jupiter aggregator, Solana trading, wallet provisioning). These are specific tools/functions to move funds and execute transactions on-chain rather than generic capabilities, so it qualifies as Direct Financial Execution.