registry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md exposes paid endpoints that fetch and return open/public user-generated content—e.g., the Twitter service at https://registry.frames.ag/api/service/twitter (tweets, profiles, communities) and Exa's POST /api/contents (extract URL contents)—and the skill explicitly instructs agents to call those endpoints, so untrusted third‑party content can be read and influence agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly enables crypto payments and wallet-based transaction signing. It requires a funded USDC wallet, documents the x402 payment flow (receive 402, sign a payment, resend with PAYMENT-SIGNATURE), and references signing standards (EIP-3009 / SPL). It also promotes AgentWallet — a server-side wallet that "manages keys, balances, and x402 payment signing" so agents need not manage keys themselves. Additionally, several listed services are explicitly financial (Jupiter token swap, NEAR cross-chain swap, portfolio endpoints). These are specific mechanisms to move funds or initiate token swaps, not generic HTTP or browsing operations, so the skill grants direct financial execution capability.