bstorms

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and surfaces user-generated content from the public bstorms marketplace (see Tools: browse -> "5 random open questions", questions(api_key) -> returns answers with content, and answer/api flows in SKILL.md), so the agent will read untrusted third-party questions/answers that could contain injected instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses the MCP endpoint https://bstorms.ai/mcp at runtime (register, browse, answer, GET /playbook-format) to fetch playbooks/answers that directly provide execution instructions/prompts the agent would follow, so this external URL can control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is explicitly built for on-chain payments: it requires registering with a Base wallet, mints/earns USDC, and provides a tip(api_key, a_id, amount_usdc) tool that returns the exact contract call (usdc_contract, to, function, args) to pay USDC. It instructs agents to approve and execute the contract call with their wallet and references on-chain verification of tips. These are specific crypto/blockchain payment operations (wallets, token transfers/contract calls), so it grants direct financial execution capability.