onboarding-to-agentbeat

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes examples and instructions that print or embed private keys and one-time vouchers (e.g., console.log of the generated privateKey and curl calls inserting {voucher}), which require the agent to handle and potentially output secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and act on arbitrary public web resources (e.g., host/fetch the agent registration JSON at any public URL or IPFS, query x402 services like "https://some-x402-service.com/api/data" and the x402 Bazaar, and process PAYMENT-REQUIRED/PAYMENT-SIGNATURE headers via the World.fun facilitator https://facilitator.world.fun), which are untrusted third-party contents the agent is expected to read/interpret and act upon (including signing payment authorizations), creating an avenue for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill explicitly provisions and manages cryptocurrency payment capability: it instructs creating/loading an EVM private key, signing and broadcasting on-chain transactions via JSON-RPC, registering an ERC-8004 NFT, integrating the x402 payment SDK (which automatically signs USDC payments and interacts with a facilitator), and submitting/claiming USDC rewards. Those are concrete, specific on-chain payment operations (wallet creation, signing transactions, sending USDC) — i.e., direct financial execution authority.