funding-program-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to obtain and display/save the Karma API key (e.g., showing the returned "karma_..." value and appending export KARMA_API_KEY="karma_...") which requires emitting the secret verbatim in commands/output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and reads user-generated program and application content from public Karma API endpoints (e.g., /v2/funding-program-configs/{PROGRAM_ID} for formSchema, /v2/funding-applications/{REFERENCE_NUMBER} for applicationData, and /v2/applications/{REFERENCE_NUMBER}/comments), and that untrusted content is directly used to drive decisions and actions like AI evaluation, approval, and payouts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes API endpoints and actions to disburse funds and manage on-chain payouts. Examples: the "Create Disbursement Batch" POST /v2/payouts/disburse requires chainID, safeAddress, token/tokenAddress, and a grants array with amount and payoutAddress (Ethereum addresses). The skill also supports approving applications with approvedAmount/approvedCurrency, creating payouts/disbursements, viewing pending disbursements, and listing disbursements awaiting Safe signatures. These are specific crypto/financial operations (token transfers/disbursements and payout management), not generic API or browser actions, and therefore constitute direct financial execution capability.