aelf-skills-hub

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and clones public repositories listed in skills-catalog.json (see scripts/bootstrap.ts -> downloadViaGithub) and builds/parses remote SKILL.md files (see scripts/lib/catalog.ts buildCatalog / extractSectionBullets), meaning it ingests untrusted, user-controlled content from public GitHub/npm sources that can influence routing, installation, and runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The bootstrap script (scripts/bootstrap.ts) downloads and installs remote repositories at runtime (e.g., cloning https://github.com/AElfProject/aelf-node-skill.git from skills-catalog.json and then running bun install), which means fetched repository content is required and can cause execution of remote code during setup.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The hub explicitly catalogs and routes to skills that perform cryptocurrency financial actions: Portkey CA/EOA wallets with "transfer", create/import and signing functionality; Awaken DEX with "swap" and liquidity actions; eForest marketplace with "trade"/listing; and an aelf-node skill that can "contract view/send" and handle txs. These are specific crypto/blockchain execution capabilities (wallets, swaps, signing, sending transactions), so this grants direct financial execution authority.