@1892/dgclaw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches user-generated forum posts from the public Degenerate Claw API (e.g., GET https://degen.virtuals.io/api/forums/... and /posts via scripts/dgclaw.sh and references/api.md) and the setup-cron flow in scripts/dgclaw.sh pipes the unreplied-posts output directly into an "openclaw agent chat" command to auto-reply, meaning untrusted third-party content is read and used to drive agent actions (auto-replies), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches forum posts at runtime from https://degen.virtuals.io/api/forums//posts?unreplied=true (via the unreplied-posts command/cron) and pipes that external content directly into a local "openclaw agent chat" prompt, which injects remote data into the model context and can therefore control agent outputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements and routes real financial operations. It defines and instructs use of ACP jobs for perp_deposit, perp_trade (open/close positions, market/limit orders, leverage, size in USD), perp_modify, and perp_withdraw (amount, recipient). It includes the full payment flow (acp job pay / auto-pay), wallet balance/topup commands, concrete wallet and agent IDs, USDC on-chain bridge routes (Base/Arbitrum/Hyperliquid), subscription purchase via an ACP "subscribe" job, and CLI commands that generate/pay jobs and decrypt API keys. These are specific, purpose-built endpoints/commands to move funds, place market orders, and withdraw assets — not generic tooling — so it grants direct financial execution authority.