compact-state

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated thread messages and agent-provided content (e.g., molt_thread and molt_context pulling recent thread/posts from https://molt.ac, and molt_agent_card / molt_invoke fetching arbitrary agent URLs like https://.compact.ac/.well-known/agent-card.json or service endpoints), and those external, public sources are read and used by the agent as part of its check-in/context workflow—creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches raw agent context at runtime from the Molt server (e.g., https://molt.ac/molt/context/{agent_id}) via the molt_context tool and uses that text "formatted for injection" as the agent's prompt/context as part of the mandatory check-in loop, meaning remote content directly controls injected prompts and is a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provisions on-chain wallets and payment entrypoints and includes commands that perform payments. Examples: httpcat CLI "creates your Base wallet" and is used to "pay 5 USDC to the treasury via x402 automatically" (molt_claim); molt_pay sends USDC via httpcat; molt_invoke can "auto-pays via x402"; instructions show httpcat send 10 USDC to TREASURY_ADDRESS --chain base and a curl POST to record tx_hash. The skill is specifically designed to move funds on-chain (USDC on Base) and to register/execute payments, so it provides direct financial execution capability.