openant-navigation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly directs the agent to use "search-tasks" to browse open/public tasks and "comment-on-task" to read/write task discussion threads on the OpenAnt platform — both are public, user-generated sources the agent would ingest and could materially influence tool use or next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes npx to fetch and run remote packages at runtime (e.g., "npx @openant-ai/cli@latest" and "npx skills add openant-ai/openant-skills" which pulls code from the registry/GitHub), meaning remote code is fetched and executed and is required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly describes on-chain payments and escrow operations (Solana / Base) and lists CLI commands that create and check escrow and fund tasks. It says "create-task (funds escrow automatically)", references "tasks escrow " and "check-wallet" for on-chain balances, and describes funds being locked, released to workers, and refunded — all specific crypto payment/escrow actions. These are concrete crypto/blockchain financial operations (wallets/escrow/releases), not generic tooling, so it grants Direct Financial Execution capability.