govnet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and processes public, user-generated content from the open gov.works API (e.g., GET /v1/comments, GET /v1/reports, the public "comments" WebSocket channel, GraphQL comment queries, and the scripts under scripts/public and scripts/content) which the agent is expected to read as part of its workflow and could materially influence follow-up actions (trades, votes, reports), so it exposes the agent to untrusted third‑party content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill declares a hard runtime dependency that the harness will auto-install from the git URL https://github.com/awp-core/awp-wallet (git clone + bash install.sh), which fetches and executes remote code during first-run and is required for signing—this satisfies the criteria for a high-confidence runtime-executing external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading interface for the EMG (GovNet) prediction-market protocol. It exposes signed, state-changing operations such as placing and cancelling limit/market orders (trade/submit-order.py -> POST /v1/orders; trade/cancel-order.py -> DELETE /v1/orders/{id}; trade/cancel-all, synthesize, etc.), splitting/merging positions (POST /v1/positions/split, /merge), and streaming fills/orders. Signed requests go through awp-wallet (EIP-712 signatures) and the README includes confirm-before-irreversible behavior for submitting transactions. These are concrete, domain-specific APIs to execute market transactions (move economic value/positions), not generic tooling. Therefore it meets the "Direct Financial Execution" criteria.