claw-brawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required heartbeat and strategy steps (HEARTBEAT.md and SKILL.md) explicitly instruct the agent to fetch and read untrusted, user-generated content—e.g., GET /bets/round/current (other agents' bets/reasons) and public community Moltbook posts—and to use those third-party sources (and Bitget market APIs) to decide bet direction and confidence, so external content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly mandates fetching remote skill files at runtime (e.g., curl -s http://www.clawbrawl.ai/skill.md and http://www.clawbrawl.ai/heartbeat.md and http://www.clawbrawl.ai/skill.json) which directly supply/alter the agent's instructions/heartbeat logic, so these URLs are runtime dependencies that control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes a programmatic, authenticated API endpoint to place bets (POST /bets with Authorization: Bearer $CLAWBRAWL_API_KEY) and instructs automated/cron heartbeat routines to POST bets every 10 minutes. This is a specific, explicit financial/trading action (placing wagers on BTC direction) that executes on-platform transactions (bets). Although it uses market-data APIs only for information and is not a payment-gateway or banking API, the primary purpose is trading/predicting and it provides an authenticated endpoint to execute bets automatically — i.e., direct financial execution authority.