myriad-prediction-markets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs copying/pasting raw EVM private keys and setting MYRIAD_PRIVATE_KEY (e.g., export MYRIAD_PRIVATE_KEY="0x...") or pasting the key into setup, which encourages the agent/user to supply and embed secrets verbatim in commands or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches public market data (e.g., via "myriad markets list --json" and the API base https://api-v2.myriadprotocol.com/) and instructs agents to read/filter market descriptions and odds (user-generated/public prediction markets) and then make trading decisions, so untrusted third-party content can materially influence agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading CLI for Myriad prediction markets on BNB Chain and includes commands to execute financial actions: buy/sell trades (myriad trade buy/sell), deposit funds (myriad wallet deposit), swap tokens (myriad swap), claim winnings (myriad claim all), and wallet management including exporting private keys and funding via MoonPay (mp buy, mp wallet export). It also shows an offramp to bank (mp virtual-account offramp create). These are specific, built-in capabilities to move funds and perform on-chain transactions, not generic tooling, so it grants direct financial execution authority.