project-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask for or receive the Karma API key and to write or echo it verbatim into shell export commands and saved configs (and to show the generated key), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and consumes public Karma API data (e.g., /v2/projects?q=..., /v2/projects/PROJECT_UID_OR_SLUG, /v2/projects/.../grants, /v2/communities/...) and instructs the agent to read those project/grant/community fields (titles, descriptions, chainIds, program metadata) to determine chains, UIDs, and to populate and execute on-chain actions, which is untrusted user-generated content that can materially influence subsequent tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain operations via a Karma API that creates blockchain transactions/attestations. It includes an execute endpoint that posts actions and returns a transactionHash, requires an API key tied to an agent wallet (verify returns walletAddress and supportedActions), and supports multiple chains. These are explicit crypto/blockchain transaction/signing capabilities (not just generic HTTP/browser automation) and thus constitute direct financial execution authority.