huginn-onboard

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). The set includes a direct raw GitHub shell script that the skill explicitly tells users to curl|bash from an unvetted/unknown GitHub account (welttowelt), which is a high‑risk distribution vector for arbitrary/malicious code even though the other links (API and repo/issues pages) are lower‑risk informational endpoints.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflow explicitly instructs fetching a bridge quote from a public AVNU API (curl to https://api.avnu.fi/v1/bridge/quote in SKILL.md and META-SKILL.md) and using the response calldata to drive transactions, meaning it ingests third‑party data that directly influences actions the agent will execute.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's Quick Start commands fetch and pipe remote shell scripts to bash, which executes remote code at runtime (e.g. https://raw.githubusercontent.com/welttowelt/daydreams/main/packages/starknet/skills/onboard/install.sh and https://raw.githubusercontent.com/keep-starknet-strange/starknet-agentic/main/skills/huginn-onboard/meta-install.sh), so the fetched content directly controls execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs moving crypto and signing transactions: it uses the AVNU bridge API (POST https://api.avnu.fi/v1/bridge/quote) and instructs "Execute bridge transaction (Use response calldata with your signer)". Prerequisites state the agent must have ETH/USDC and be able to sign transactions. It also shows deploying a Starknet account and calling on-chain functions (register_agent, log_thought). These are direct crypto/blockchain fund-transfer and transaction-signing operations, which qualify as Direct Financial Execution.