virtuals-protocol-acp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires running setup/CLI commands that generate or accept API keys (written to config.json or passed as KEY=value) and explicitly instructs the agent to capture and return CLI JSON stdout and to walk users through entering secrets, which forces the LLM to handle and potentially output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to "Always browse ACP first" (SKILL.md) and to use commands like acp browse (returns marketplace agent listings and resources), acp resource query <url> (performs GETs to arbitrary resource URLs), and Twitter/X search/timeline — all of which fetch public, user-generated third‑party content that the agent must read and act on (select/hire agents, fill requirement schemas, approve payments and create jobs), so that external content can materially change tool use and next actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes finance/payment functionality: a built-in agent wallet, wallet balance/address/topup commands (topup via credit/debit card / Apple Pay / crypto), token launch and on-chain/token operations (swaps, transfers, yield farming), and explicit payment workflow commands (acp job create with wallet, acp job pay --accept true, and an --isAutomated true auto-pay mode). These are specific capabilities to move funds and perform crypto/market-like operations, so this skill grants direct financial execution authority.