metengine-data-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and read remote, public documents (e.g., https://raw.githubusercontent.com/MetEngine/skill/main/references/*.md and live endpoints like https://agent.metengine.xyz/api/v1/pricing and /health) and to use that untrusted third‑party content to drive endpoint selection, payment signing, error handling and follow‑on API calls, so third‑party content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly directs the agent at runtime to fetch remote docs (e.g. https://raw.githubusercontent.com/MetEngine/skill/main/references/core-runtime.md and related raw.githubusercontent.com raw-doc URLs, and even https://www.metengine.xyz/skill.md for auto-updates) which are then used to drive workflow rules, prompts, client bootstrap code, and memory/update behavior—i.e. externally-fetched content directly controls the agent's instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly requires executing an "x402 handshake using local Solana wallet (USDC + SOL required)" and is built around a pay-per-request API that may require payment signing. It references loading payment flow details in core-runtime.md. This is not generic browsing or API calling — it specifically calls for wallet-based crypto payment signing, which is a direct crypto/transaction execution capability.