rstack-services

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt parses and echoes the service's webhook_secret (and instructs inserting that exact value into displayed verification code and output), which requires the LLM to handle and emit sensitive secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses public, potentially user-generated content from resolved.sh and the operator's subdomain (e.g., https://resolved.sh/listing/$RESOLVED_SH_RESOURCE_ID/services, https://$SUBDOMAIN.resolved.sh/openapi.json, and https://$SUBDOMAIN.resolved.sh?format=json) and uses that data in its workflow to decide actions and update pages, so untrusted third-party content can materially influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to create and configure paid endpoints: it uses a resolved.sh API key to call listing endpoints and a PUT to register services with a price_usdc field, generates paid-call test commands, and documents the x402 USDC-on-Base payment flow (including PAYMENT-SIGNATURE requirements). This is not a generic API helper — it specifically configures payment gating/monetization and thus directly enables/controls financial transactions (crypto payments).