agentcash-wallet

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are unknown, brand-like .dev domains (and a .sh) with no direct trustworthy vendor signals; while they don't link to explicit executables, the prompt asks you to run an unvetted npm CLI (npx agentcash) and interact with crypto deposit/payment endpoints — a combination that poses a notable risk of malware, credential theft, or financial scam.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs the agent to run "npx agentcash discover " and to "npx agentcash add " (examples: https://stableenrich.dev, https://stablesocial.dev) and tells the agent to "Read the instructions field" returned from those public origins, meaning the agent will fetch and interpret untrusted third‑party content that can change how it constructs requests and payments.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). I flagged https://stableenrich.dev (and the other listed origins such as https://stableupload.dev, https://stablestudio.dev, https://stablesocial.dev, https://stableemail.dev, https://stablephone.dev, https://stablejobs.dev, and https://twit.sh) because the skill explicitly calls them at runtime via npx agentcash discover/fetch and instructs the agent to "Read the instructions field", meaning fetched remote content directly controls endpoint-specific instructions/prompts and the skill relies on those origins.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly manages a crypto wallet and performs on-chain payments: it creates/stores a wallet, provides a USDC deposit address on the Base (eip155:8453) network, supports depositing USDC, redeeming credits, and — critically — automatically signs/sends USDC payments to satisfy x402 payment challenges when making paid API requests ("sends request, gets 402 challenge, signs USDC payment, retries with credential"). These are concrete crypto payment and wallet operations (wallet management, deposits, signing transactions), not generic tooling. Therefore it grants direct financial execution capability.