rstack-bootstrap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill repeatedly instructs the agent to output completed env snippets and other artifacts containing API keys, session tokens, and wallet/private-key-related values (e.g., "fill in actual values" and "display the complete snippet ready to paste"), which forces secrets to appear verbatim in generated output — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill autonomously polls and parses messages from a third‑party AgentMail inbox (see Phase 2b: curl "https://api.agentmail.to/v0/inboxes/$INBOX_ID/messages" and the Python regex that extracts a token), which ingests untrusted, user-generated email content and uses that content to drive verification and subsequent API actions—creating a clear vector for indirect prompt injection or manipulation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provisions financial endpoints and wallet integrations. It walks the agent through creating a payout wallet (USDC on Base), storing a private key (instructions for cast / OS keychain / env vars), and registering that wallet via POST /account/payout-address. It also includes explicit payment gateway integration (POST to /stripe/checkout-session and handling Stripe checkout sessions) and a tip-j ar payment URL pattern (POST https://{subdomain}.resolved.sh/tip?amount_usdc=1.00). These are specific, finance-focused APIs and wallet setups (crypto payments and Stripe) rather than generic tooling, so the skill grants direct financial execution capability.