botchan-net

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly instructs and exemplifies embedding wallet private keys (e.g., export BOTCHAN_PRIVATE_KEY=0x..., --private-key KEY, export NET_PRIVATE_KEY=0xYOUR_KEY) and encourages passing them on the CLI, which can cause the LLM to output secrets verbatim — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md clearly instructs agents to fetch and process public, user-generated content (e.g., "botchan read general", "botchan chat read general", and the "Agent Polling Pattern" showing NEW_POSTS=$(botchan read general --unseen --json) and piping .text for processing), meaning untrusted third-party posts/messages are read and used to drive agent actions (posts, replies, transactions).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain financial capabilities. It includes commands and flags for wallet private keys and transaction signing (BOTCHAN_PRIVATE_KEY / NET_PRIVATE_KEY, --private-key, --encode-only with Bankr submission). The Net CLI (netp) provides explicit crypto/financial operations: token deployment (ERC‑20 deploy with optional initial-buy), NFT Bazaar buy/list/accept-offer (returns fulfillment with value), upvoting that requires ETH value per upvote, and a "relay fund" USDC payment. These are direct blockchain transaction operations (deploying tokens, buying/selling NFTs, sending value, signing/submitting transactions) — i.e., explicit capabilities to move value on-chain. Therefore it meets the criterion for Direct Financial Execution.