erc-8004

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly auto-fetches and ingests untrusted public content — e.g., agent.setMCP(..., true) and agent.setA2A(..., true) (SKILL.md and sdk docs) auto-fetch tools/skills from arbitrary HTTPS/IPFS agentURI and MCP/A2A endpoints, the subgraph indexes public IPFS/HTTP registration and feedback files, and semantic-search.ag0.xyz is used for keyword search — all of which the agent reads and that can materially alter capability discovery, tool use, and decision-making.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Agent0 SDK explicitly auto-fetches MCP/A2A endpoints at runtime (e.g., agent.setMCP('https://mcp.example.com', '2025-06-18', true')) and the EndpointCrawler "auto-fetches tools/prompts/resources from MCP endpoint", meaning external MCP URLs like https://mcp.example.com are fetched at runtime and can directly supply prompts/resources that control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes on-chain transaction and wallet functionality. The TypeScript SDK examples require a privateKey and rpcUrl, create and register agents on-chain (agent.registerIPFS() that mints an NFT and returns a tx you wait to confirm), and show tx-based feedback submission (giveFeedback with a tx and proofOfPayment fields). The registration format includes an "agentWallet" (eip155:...) and mentions EIP-712/ERC-1271 and x402 payment protocol support. These are concrete crypto/blockchain wallet and signing operations (sending transactions, signing), which qualifies as direct financial execution capability under the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion.