metengine-data-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs the agent to fetch and process data from public MetEngine API endpoints (e.g., GET https://agent.metengine.xyz/api/v1/markets/search and /api/v1/markets/trending), which return user-generated public content such as Polymarket "question" text and other on-chain/trade data that the agent is required to read and act on, creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs agents to fetch and replace their local skill file at runtime using curl from https://www.metengine.xyz/skill.md, which lets remote content directly control the agent's instructions and is relied upon as a required update mechanism.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements a crypto payment protocol on Solana (x402) and includes concrete wallet/keypair handling and signing code. It requires a Solana wallet with SOL/USDC, tells agents to load a local keypair path, and provides TypeScript calls to create a keypair signer (createKeyPairSignerFromBytes, toClientSvmSigner), build/encode a payment payload, attach PAYMENT-SIGNATURE headers, and extract settlement tx hashes. This is an explicit crypto/blockchain payment flow (signing and settling USDC on Solana), which is direct financial execution capability.