agnic

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted third-party content via the agent email flow (commands like "email inbox" and "email reply") and by making paid API calls to arbitrary URLs ("x402 pay "), and the required workflow uses those external contents to decide follow-up actions (verification, replies, and reporting), creating a clear avenue for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a wallet and payments/trading tool. It exposes commands to view balances and addresses, execute payments ("npx agnic@latest x402 pay ..."), execute token trades ("npx agnic@latest trade 10 USDC ETH --json"), and send tokens ("npx agnic@latest send --network base --json"). These are specific financial operations (on-chain wallet actions, token trading, and payments), not generic automation or generic HTTP tooling. Therefore it grants direct financial execution authority.