polyclawster-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The README and SKILL.md (supported by scripts like auto.js and news-dryrun-cron and .env.twitter keys) explicitly require the agent to read untrusted public sources—tweet links, YouTube/videos, RSS/news feeds and other external signals—and to score those signals and autonomously place trades, so third‑party content can directly influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime auto-trader fetches trading signals from polyclawster.com (e.g., https://polyclawster.com/api/signals) and directly uses those remote signals to decide and execute trades, meaning external content controls agent actions at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations. It generates a Polygon wallet, stores a private key locally, signs transactions/orders (EIP-712 + HMAC), performs token swaps (POL → USDC.e via Uniswap SwapRouter02), grants ERC-20 approvals, and places live bets/orders submitted via a relay. These are specific crypto wallet, signing, swap and order-execution capabilities — i.e., direct financial execution.