ardi

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These look potentially risky: the GitHub repo instructs cloning and running an install.sh (running remote scripts from an unverified repo is high-risk) and kya.link is a short/redirect-style domain used to generate social-verification flows—both could be abused to deliver malicious scripts or commands unless you verify the repo, inspect the install script, and confirm the kya.link destination and reputation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches the epoch riddles from the Ardi coordinator API (see ApiClient in src/client.rs using ARDI_COORDINATOR_URL — default https://api.ardinals.com) and SKILL.md / tools/auto-mine require the agent to read those riddles and act (commit/reveal/inscribe), so externally-published, potentially untrusted content is directly ingested and can change the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs the agent to fetch and run remote install scripts at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh | sh and git clone https://github.com/awp-worknet/ardi-skill), which downloads and executes code that directly controls the agent's runtime behavior—this is a high-confidence remote-code execution dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs on-chain crypto financial operations. It defines commands that send transactions and move/value tokens: e.g., ardi-agent buy-and-stake --yes --lock-days executes a swap + deposit + allocate (on-chain), ardi-agent claim sends a transaction that mints $ardi to the agent's wallet, ardi-agent inscribe mints the Ardinal NFT, ardi-agent transfer performs an ERC‑721 transfer, repair pays a $ardi fee, and ardi-agent gas guides/refills ETH. It also requires a signing tool (awp-wallet) and enforces on-chain nonce/serial rules. These are specific crypto/blockchain execution capabilities (not generic tooling), so this grants Direct Financial Execution Authority.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs the agent/operator to clone and run an installer that writes files, installs and auto-starts systemd user units (a persistent daemon) and modifies user-state on disk—actions that change the machine's state and install persistent services even though they don't require sudo—so it presents a meaningful risk.