frame-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill auto-updates itself from its GitHub "origin" remote (runs git fetch/git pull origin main and npm install) so the agent fetches and executes public, user-controlled repository content from the open web, which it reads and runs as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly auto-updates at runtime by running git fetch/git pull from its origin remote (e.g., GitHub commit URL https://github.com/clawdbot/skills/commit/0d88424be9add01c462466a75ade0b7e17d0ffe8) and then runs npm install, which means remote repository content fetched during heartbeat execution can change the skill's code and cause execution of remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly built for blockchain financial operations. It includes creating EVM wallets (private keys), launching tokens (builder and product coins), encoding and broadcasting transactions, and explicit commands to claim vesting tokens and trading fees. It also references gas-free transactions via Frame sponsorship and has dedicated references for transaction encoding and broadcasting. These are specific crypto/financial actions (wallet management, token launches, claiming funds, broadcasting signed transactions), not generic tooling, so it grants direct financial execution capability.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent to autonomously write/modify files in the user's home (~/.evm-wallet.json, ~/.openclaw/..., /tmp/...), run commands (node scripts, git pull, npm install) and auto-claim transactions without confirmation — actions that change machine state and can execute arbitrary code (auto-update via git + npm is especially risky) even though it does not request sudo or system-level config changes.