uni-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill’s adapters fetch and parse external agent metadata and APIs (e.g., adapters/anp.py _fetch_ad using ad_url entries in config/agents.yaml like https://agent-connect.ai/…, adapters/a2a.py _fetch_agent_card requesting /.well-known/agent.json from configured endpoints, and lmos/agent_protocol/aitp adapters querying registry_url or endpoints), so the agent consumes untrusted, public third‑party content as part of its runtime workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The ANP and A2A adapters fetch remote agent description documents at runtime (e.g., https://agent-connect.ai/mcp/agents/amap/ad.json and https://agent-search.ai/agents/navigation/ad.json and A2A .well-known agent.json endpoints) which are used to determine RPC endpoints/methods and thus directly control which remote code/agent is invoked, so these runtime-fetched URLs are a high-confidence runtime dependency that can control execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a protocol adapter for AITP, described as "交互 + 交易" and earlier noted as "AITP：NEAR 的交互交易协议". The examples show direct payment/transaction usage, e.g. agent.call("shop@aitp", "purchase", {"item": "coffee", "amount": 10}) and the adapters list includes adapters/aitp.py. The identity config also contains private_key entries for cross-protocol identities, which supports signing/transaction capabilities. These elements indicate the skill is specifically designed to invoke transaction-capable agents (blockchain/transaction protocol) rather than being a generic caller, so it grants direct financial execution capability (crypto/transaction).