manifold

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and stream public, user-generated content from Manifold (e.g., REST endpoints like /markets, /comments and WebSocket topics such as global/new-comment and global/new-bet) in SKILL.md, which the agent is expected to read and which can materially influence trading and other actions, creating a clear avenue for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a prediction-market API with authenticated write endpoints that move value: it includes POST endpoints to place bets (/bet, /multi-bet), place/cancel limit orders, sell shares (/market/.../sell), transfer mana to other users (/managram), add liquidity/add-bounty/award-bounty, create markets (costs mana), and resolve markets. These are concrete transaction operations that change users' balances and execute trades, not mere generic HTTP or browser actions. Therefore it grants direct financial execution capability.