rstack-bootstrap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read/store API keys (AgentMail and resolved.sh), write them to files, and "fill in actual values" in env snippets and curl headers—forcing the agent/LLM to include secret values verbatim in its outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly polls a third-party email API (https://api.agentmail.to/v0/inboxes/.../messages) to parse message bodies for verification tokens and fetches public resolved.sh pages (https://{subdomain}.resolved.sh?format=json) to read md_content and agent_card_json — both are untrusted/user-provided sources that the agent parses and uses to drive account verification, registration, audits, and maintenance actions, so they could carry indirect prompt-injection content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill contains explicit, finance-specific operations: it provisions and registers a USDC payout EVM wallet on Base (including private-key handling and commands to create/manage the wallet), it exposes the resolved.sh API endpoint to set the payout address (POST /account/payout-address), it documents a tip-jar payment endpoint (POST /tip?amount_usdc=...), and it includes a Stripe checkout-session flow for paid registration. These are concrete payment/crypto integration steps (wallet creation/registration, receiving USDC, Stripe checkout), not generic tooling, so it grants direct financial execution capability.