aomi-transact

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly allows running commands like aomi secret add NAME=<value> and aomi wallet set <signing-key> when the user supplies values in-turn, which requires the agent to emit those secret values verbatim in generated commands (even though it forbids unsolicited echoing), creating an exfiltration surface.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls out and integrates many open/public third‑party apps (see SKILL.md and references/apps.md — e.g., X/neynar social feeds, DefiLlama, Khalani, 1inch, Polymarket, etc.), and the agent is expected to fetch and interpret their quotes/posts/routes as part of its chat→build→simulate→sign workflow (examples in references and SECURITY.md), so untrusted/user-generated content can materially influence transaction construction and subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly invokes the runtime command "npx @aomi-labs/client@0.1.30" (see https://www.npmjs.com/package/@aomi-labs/client), which will fetch and execute remote npm package code at runtime and is a required dependency for the skill to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to build and execute on-chain crypto/DeFi actions: examples include "swap 1 ETH for USDC", "open a 3x GMX long", "bet $100 on Polymarket" and it exposes primitives like encode_and_call, stage_tx, commit_tx, commit_eip712, simulate_batch and the command aomi tx sign to sign and submit transactions. It targets EVM chains and named DeFi protocols and explicitly stages wallet-signed transactions and can submit them. These are direct crypto transaction, wallet, signing, and broadcasting capabilities (crypto/blockchain + signing + swaps), so it provides direct financial execution authority.