alby-bitcoin-payments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to use the discover command (searching the public 402index.io) and the fetch command to pay for and consume arbitrary service URLs / HTTP 402 endpoints, meaning it ingests untrusted third‑party web content that can change payment decisions and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill repeatedly instructs running "npx -y @getalby/cli@0.6.1" which fetches and executes remote npm package code at runtime (and the skill relies on that CLI), so this external dependency directly executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed for cryptocurrency payments and wallet control. It exposes commands to send payments (pay-invoice, pay-keysend, fetch with automatic 402 payment), create invoices and hold invoices (make-invoice, make-hold-invoice, settle-hold-invoice), check balances and manage wallets (get-balance, connect, auth), and accepts a Nostr Wallet Connect connection secret. The CLI’s fetch command can automatically pay HTTP 402 endpoints and has spending limits (--max-amount). These are direct payment and wallet management operations (Bitcoin Lightning) — not generic tooling — so the skill grants direct financial execution capability.