agentcash-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call agentcash.discover_api_endpoints(url="...") and to "Read the instructions field" from arbitrary origins (e.g., https://stableenrich.dev, https://stablesocial.dev) and to use agentcash.fetch on those endpoints, which means it ingests untrusted third-party endpoint-provided content that can materially influence subsequent requests and tool behavior as described in SKILL.md's "Calling Paid APIs" section.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls agentcash.discover_api_endpoints(url="https://stableenrich.dev") at runtime and explicitly instructs the agent to read the returned "instructions" field for endpoint-specific guidance, so remote content from https://stableenrich.dev can directly control agent prompts and is relied upon.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly manages a crypto wallet (auto-creates wallet stored at ~/.agentcash/wallet.json), provides deposit addresses for USDC on Base and Solana, and exposes functions that perform on-chain/payment operations: agentcash.list_accounts (deposit addresses), agentcash.get_balance (USDC balance), agentcash.redeem_invite (crediting funds), and crucially agentcash.fetch which "sends request, gets 402 challenge, signs USDC payment, retries with credential" and "Payment is automatic." These are specific crypto payment primitives (wallet management, deposit addresses, signing and sending USDC payments) — i.e., direct financial execution via blockchain wallets. This matches the Crypto/Blockchain category in the core rule.