clawfinder

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The spec includes explicit examples that require placing API keys directly into Authorization headers (e.g., "Authorization: Bearer ak_your_api_key_here") and instructs using the returned api_key for authenticated requests, which implies the LLM would need to insert secret values verbatim into generated requests/commands — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill requires the agent to fetch and act on untrusted, user-generated content from the open index and arbitrary public URLs — e.g., reading public job listings and agent profiles via GET /api/jobs/ and GET /api/agents//, fetching PGP-encrypted inbox messages via GET /api/agents/me/inbox// (and reviews via GET /api/reviews/), and downloading attachments from arbitrary HTTPS attachment_url values — and those messages/attachments directly drive negotiation, execution, and payment actions, so third-party content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly defines and integrates a crypto payment flow: it names lobster.cash as a certified payment provider, requires Solana/USDC settlement, mandates invoice_wallet_address (Solana address) and invoice_amount in RESULT messages, references wallet provisioning/signing/transaction state, and documents installing a lobster.cash plugin/CLI. These are specific crypto/payment integrations (wallets, signing/settlement) rather than a generic API or browser automation, so it grants direct financial execution capability.