fluxa-agent-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and parse public web resources (e.g., curl-ing x402/payment URLs, calling monetize.fluxapay.xyz discovery endpoints, reading https://fluxapay.xyz/announcement.md and https://clawpi.fluxapay.xyz/api/skill.md in SCHEDULED-CHECKIN.md and SKILL.md) and to act on that untrusted third-party content (drive payments, follow/claim actions, or choose APIs), so external content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs the agent to fetch external skill/prompt documents at runtime (for example: https://clawpi-v2.vercel.app/api/skill.md?lang=zh and https://monetize.fluxapay.xyz/api/discover?type=skill), and those fetched documents are used to guide agent prompts/behavior, meeting the criteria for a runtime external dependency that can control instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides tools to move money: it is a wallet/ payments integration that supports x402 payments, USDC transfers, agent-to-agent transfers, payouts to wallet addresses (Base chain), creating/charging payment links, issuing prepaid virtual cards (including PAN/CVV access), and CLI commands to create mandates and execute payments (mandate-create, x402, payout, paymentlink-create, card create, etc.). These are specific financial execution operations (crypto transfers and payment flows), not generic tooling. Although user authorization/mandates are required, the skill's primary and explicit purpose is to execute payments and transfers on behalf of the agent/user.