teneo-protocol-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit private key value and example commands that echo/store it (and exposes a wallet-export-key command), which instructs or enables the agent to handle and output secret private keys verbatim.

---

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill intentionally automates signing and confirming on-chain transactions and micropayments (including "auto-sign" and "auto-confirm" flows), supports overriding the backend WebSocket endpoint and auto-loading .env/ENV private keys, and thus embeds deliberate behaviors that can be abused by remote agents or a malicious endpoint to exfiltrate funds or trigger unauthorized transactions.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs performing web searches for social-media handles ("Use a web search (not the Teneo agent) to find the official handle") and describes querying agents that return data from public sources (social media, Amazon, news, etc.) via teneo-cli commands — and the workflow uses those results to select agents, auto-pay, and even sign on-chain transactions, so untrusted third-party content can directly influence tool selection and actions.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill connects at runtime to the WebSocket backend wss://backend.developer.chatroom.teneo-protocol.ai/ws, and that external endpoint returns agent responses (including transaction requests and instructions) which can cause the CLI to sign/execute payments or follow agent-driven commands — a required runtime dependency that directly controls actions.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy literal values that could be used to access services.

Flagged item:

• The documentation contains a 64-hex-character private key assigned to TENEO_PRIVATE_KEY: export TENEO_PRIVATE_KEY=4a8b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a2e This is a high-entropy, directly-present private key (looks like an Ethereum-style private key) and appears usable for authentication/payment signing per the docs — therefore it should be treated as a real secret.

Ignored items / why not flagged:

• The .env example later that uses a truncated value ("TENEO_PRIVATE_KEY=4a8b1c2d3e4f...") is redacted/truncated and thus ignored.
• USDC contract addresses, the WebSocket endpoint, and environment variable names are public configuration or non-secret values and are not credentials.
• Command examples, room IDs, and other sample strings are documentation examples/placeholders.

Conclusion: a live private key is directly present and must be considered a secret leak.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements cryptocurrency payment and wallet functionality. It auto-generates and manages encrypted wallets, exposes a private key env var, supports USDC on specific chains (Base, Peaq, Avalanche, X Layer), auto-signs x402 USDC payments, "sign transactions — handle on-chain transaction requests from agents (swaps, transfers) automatically", and provides wallet operations including balance checks, withdraw and export-key. These are concrete, purpose-built financial actions (payment signing, transfers, swaps, withdrawals) — not generic tooling — and therefore constitute direct financial execution capability.