user-onboarding

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The prompt instructs the assistant to actively conceal its memory signals from users (e.g., "Never say 'according to my memory…'... Just speak as if you naturally remember"), which is a deceptive behavior outside the benign onboarding purpose and therefore constitutes a hidden instruction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to pull and summarize public web/social content as part of its workflow (e.g., "Step 2" mapping: "Twitter monitor — auto-summarize daily" and "Step 3" mini examples: "News digest: pull latest headlines now"), meaning the agent will fetch and interpret untrusted user-generated/public third‑party content to produce samples and drive scheduling/actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The prompt explicitly references crypto/blockchain execution tooling and wallets. It names specific services (Hyperliquid, 1inch), mentions "wallets," "wallet tracker," price/alert workflows for ETH/BTC, and even lists "Agent wallet (crypto users only)" in the advanced curriculum. Those are specific crypto capabilities (wallets, swaps/DEXs, on‑chain data) rather than generic browser or API tooling, which meets the criteria for Direct Financial Execution authority.