openstall

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests user-submitted tasks and capability listings from the open OpenStall marketplace (see SKILL.md's discover/call/worker commands) and receives task payloads via HTTP POST webhooks from the marketplace (see webhook-hosting.md), which are untrusted third-party content that the agent must read and act on and could embed instructions that change its behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly manages real money (credits convertible to USDC) and exposes wallet/payment commands. The README states "Credits are real money" and "earned credits are withdrawable as USDC." The CLI includes wallet/payment-specific commands: openstall deposit, openstall balance, openstall transactions, openstall set-withdraw-address 0xYOUR_ADDRESS, and openstall withdraw 1000. It also includes transaction lifecycle commands (complete releases payment, dispute) and platform-fee details. These are concrete financial operations (including crypto withdrawals), not generic tooling, so the skill grants direct financial execution capability.