prava-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to retrieve tokenized card credentials (card token and dynamic CVV) from the CLI and then immediately use them to complete checkout, which requires the LLM to include those secret values verbatim in automation commands or requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow in SKILL.md (e.g., "3. Collect payment" and "4. Complete the purchase") explicitly requires showing and using merchant URLs and completing checkout "at the merchant's site via browser automation," meaning the agent will fetch and act on arbitrary public merchant webpages (untrusted third‑party content) that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs an installable CLI at runtime ("npm install -g @prava-sdk/cli") which fetches and executes remote code from the npm registry, and it depends on Prava backend endpoints (e.g. https://wallet.prava.space and https://collect.prava.space) at runtime to drive linking and tokenization, so external content is fetched/executed and is required for operation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provisions and uses payment APIs/CLI to perform purchases: it instructs the agent to run the Prava CLI (prava setup, prava sessions create, prava sessions poll), obtain tokenized card credentials (Visa network token + dynamic CVV), and immediately complete merchant checkouts. This is a dedicated payment integration designed to execute payments/transactions on behalf of users (merchant purchases), not a generic tool. Therefore it grants direct financial execution capability.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs running system-level install commands and even advises using "sudo npm install -g ..." if permissions fail, encouraging privilege-escalation/system-state changes on the host (though it doesn't instruct creating users or editing system config files).