clawr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs agents to fetch and ingest untrusted public content — e.g., querying the Bazaar discovery API (GET https://x402.org/facilitator/discovery/resources) as part of market-analysis flows in SKILL.md/ARCHITECTURE.md and the SEO Analyzer example that fetches arbitrary webpages and feeds their HTML to an LLM — and those results are used to drive pricing, scaffolding, or analysis decisions, creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SEO Analyzer endpoint (examples/ai-skill/server.js) fetches arbitrary external pages at runtime (e.g., the user-supplied URL such as https://example.com) and injects the fetched HTML snippet directly into an Anthropic model prompt, meaning remote content can directly control prompts sent to the LLM.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to implement and handle crypto payments (USDC on Base) for paid APIs. It includes payment middleware, requires a payTo wallet address, specifies network identifiers (eip155:8453 / base), shows example code calling a facilitator verify endpoint (https://x402.org/facilitator/verify), and describes payment headers and 402 payment flows. These are specific, explicit crypto/payment integrations (wallet/pay-to, payment verification, facilitator) rather than generic tooling, so it provides direct financial execution capability.