fluxa-agent-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and ingest public third-party HTTP 402 payloads and discover/pay to public x402 APIs (e.g., curl -s <payment_link_url> in PAYMENT-LINK.md and the full x402 flow in X402-PAYMENT.md and x402-SERVICES.md which call monetize.fluxapay.xyz and arbitrary endpoint URLs), and those responses are parsed and used to decide/pay (i.e., materially influence actions), exposing the agent to untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs the agent at runtime to curl the Monetize discovery endpoints (e.g. https://monetize.fluxapay.xyz/api/discover?type=skill and https://monetize.fluxapay.xyz/api/discover?type=api) and to read a remote skill file (https://clawpi-v2.vercel.app/api/skill.md?lang=zh), which are fetched during execution and provide skill definitions/instructions that the agent would parse and act on, so these URLs can directly control agent prompts/behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments/wallet tool that allows an AI agent to move money. It exposes concrete payment actions (USDC transfers, "payout" to a wallet address, x402 payments with mandate creation and execution via x402-v3, creating and paying payment links, paymentlink-payments) and a CLI/API surface for creating mandates, approving payouts, and submitting payment payloads. These are specific financial execution capabilities (crypto/token transfers and payment execution), not generic tooling. Therefore it grants direct financial execution authority.