starknet-mini-pay

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed private keys and tokens as literal values (e.g., private_key="0x..." in code and TELEGRAM_BOT_TOKEN/ MINI_PAY_PRIVATE_KEY in the env var config) and shows passing secrets as function/CLI arguments, which encourages the agent to include secrets verbatim and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Telegram bot (scripts/telegram_bot.py — e.g., handle_text, cmd_link/cmd_invoice and handle_webhook) directly ingests and parses arbitrary user-supplied payment links/messages and webhook JSON from external users/URLs, so it reads untrusted third-party/user-generated content as part of its workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto payment tool for Starknet: it provides P2P transfers of ETH/STRK/USDC, a send() function that signs and broadcasts transactions, a CLI "send" command, a Telegram /pay command that triggers transfers, environment variables for PRIVATE_KEY and RPC, and an on-chain invoice contract with a fulfill_request that "execute[s] payment". These are specific, purpose-built financial execution capabilities (crypto/blockchain wallet signing and transaction submission), not generic tooling. Therefore it grants direct financial execution authority.