simmer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs agents to fetch and import public market pages and third-party listings (e.g., client.import_market(url=...), GET /api/sdk/markets/check?url=..., client.list_importable_markets for Kalshi, and the no-auth GET /api/sdk/skills/ listings/ClawHub links), meaning untrusted/user-generated market descriptions and skill metadata from external sites are read and used to drive trading decisions and actions—allowing indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The Simmer skill is explicitly a trading/payment-capable API for prediction markets and includes multiple concrete, money-moving capabilities: registration returns an api_key enabling managed-wallet trading; client.trade and REST /api/sdk/trade endpoints to place market orders; wallet modes including Managed Wallet (server signs trades on your behalf) and External Wallet (WALLET_PRIVATE_KEY and SOLANA_PRIVATE_KEY env vars for signing transactions locally); auto-redeem functionality that redeems USDC.e to linked wallets; cancel_order/cancel_all_orders endpoints; venue-specific real-money venues (Polymarket USDC.e and Kalshi USD) and instructions for linking wallets/KYC. These are specific financial execution primitives (placing/cancelling trades, signing transactions, moving/claiming real USDC/USD), not generic tooling. Therefore it grants direct financial execution authority.