oneshot-compute

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The skill’s runtime workflow for agent.compute(...)/task execution can invoke OneShot tools like research/enrichment/email that may fetch public web content or process outsider-authored text (e.g., scraped pages or third-party messages) into the agent’s LLM context, creating an indirect prompt-injection surface.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit money-moving and budget-control APIs: it requires setting up auth/wallet (mentions USDC), accepts budget_usdc when launching goals, supports recurring budgets (budget_per_run), lets the orchestrator execute spend against that budget, and provides direct control endpoints such as fundComputeGoal (top up budget — paid), cancelComputeGoal (returns remaining_budget), and respondToComputeTask (approve specific spends, e.g., "$200 ad spend"). These are specific financial execution capabilities (managing/updating budgets and pushing funds), not generic tooling, so it grants direct financial execution authority.