agentcash

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to run "npx agentcash@latest discover " and to "Read the instructions field" from discovered public origins (e.g., stableenrich.dev, stablesocial.dev, Firecrawl/web scraping and social-media endpoints), meaning it ingests untrusted, user-generated third‑party content and endpoint instructions that directly guide follow‑up requests and workflow decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs the agent to run runtime discovery/fetch calls against origins such as https://stableenrich.dev (and other stable*.dev origins) whose returned "instructions" field is required and used to control endpoint-specific prompts/behavior, so these remote URLs directly influence agent instructions at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements crypto payment functionality: it manages a wallet (check balance, redeem invite code, deposit USDC), instructs depositing USDC on Base or Solana, and—critically—automates x402 micropayments by signing and sending USDC payments (sends request, receives 402 challenge, signs USDC payment, retries with credential). It also provides wallet-auth (SIWX) and network/payment flags. These are specific, purpose-built crypto/transaction actions (moving funds/signing transactions), not generic tooling, so it grants direct financial execution capability.