soma

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (Data Submission Workflow and references/quickstart-patterns.md / references/data-strategies.md) explicitly stream and ingest public, user-generated sources — e.g., The Stack v2, HuggingFace datasets, GitHub/S3 URLs and calls like stream_stack_v2(), load_dataset(...), client.fetch_model(), and fetch_submission_data() — and those fetched contents are scored and used to drive submissions, training, and commit/reveal actions, so untrusted third‑party content can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Getting Started prerequisites instruct running "curl -fsSL https://sup.soma.org | bash && sup install soma", which fetches and pipes remote script content from https://sup.soma.org to a shell (executing remote code) and is presented as a required installation step.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain crypto wallet and token operations: CLI commands to create/fund/export a wallet, instructions to store an Ed25519 secret key, and SDK/CLI methods that sign and send blockchain transactions (SomaClient.get_balance, client.submit_data which posts a bond, client.create_model with stake, client.commit_model/reveal_model, client.claim_rewards, and soma faucet). These are specific crypto/blockchain financial actions (wallet management, signing transactions, staking, posting bonds, claiming token rewards), not generic tooling. Therefore it grants direct financial execution authority.