openserv-agent-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly provisions webhook and x402 triggers (SKILL.md and examples/basic-agent.ts / haiku-poet-agent.ts) that accept arbitrary user-supplied task input which is read into capability args/action.task.input and fed into LLM calls via this.generate() (reference.md and examples), so untrusted third‑party content can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's run() function explicitly auto-connects at runtime to the WebSocket proxy https://agents-proxy.openserv.ai (and uses platform endpoints like https://api.openserv.ai) which deliver tasks/LLM prompts from the remote platform that directly control agent instructions, so this is a runtime external dependency that influences prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provisions and manages a blockchain wallet (WALLET_PRIVATE_KEY), and exposes an on-chain registration API (client.erc8004.registerOnChain / register()) that requires the wallet private key and ETH on Base to pay gas. These are specific crypto/blockchain operations (signing/sending on-chain transactions), not generic tooling—so it grants direct financial execution capability.