lobstercash

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to run commands that reveal and then present checkout credentials (e.g., cards reveal outputs card numbers/CVV) and shows examples of embedding bearer tokens in headers, which requires the LLM to handle and output secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to navigate and scrape merchant websites in the purchase flows (references/purchase-flow.md and purchase-flow-byo.md via purchase explore/purchase run or the agent's own browser) and to fetch arbitrary paid API URLs with x402 (references/x402.md), and those third‑party pages/responses are parsed and used to drive decisions (needs_user_input prompts, sizing cards, completing checkout, or acting on API responses), which clearly exposes the agent to untrusted third‑party content that could carry indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to move money. It exposes concrete payment and crypto commands (lobstercash crypto send, crypto tx create/approve/submit, crypto x402 fetch, crypto request for topping up, cards request/reveal for virtual card creation and checkout), supports signing/submitting on-chain transactions, paying x402 API endpoints with USDC, and automating/completing merchant checkouts with virtual cards. These are specific financial execution capabilities (crypto wallet management, token transfers, transaction signing, virtual-card creation and checkout), not generic tools, so it grants direct financial execution authority.