soma

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs filling a .env with secrets (SOMA_SECRET_KEY, HF_TOKEN, S3 keys), shows code examples that embed a secret (Keypair.from_secret_key("YOUR_SECRET_KEY")) and guides copying/pasting keys for on-chain operations, which encourages requesting and inserting secret values verbatim into commands or code—creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly streams and ingests public, user-generated datasets (e.g., "The Stack v2" via HuggingFace in references/quickstart-patterns.md and data-strategies.md), queries open targets and model manifests (client.get_targets, get_model_manifests), and downloads third-party model weights and submission data (client.fetch_model, client.fetch_submission_data) which the agent is required to read and use to drive scoring, submission, and training decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Getting Started instructions tell users to run "curl -fsSL https://sup.soma.org | bash", which downloads and immediately executes a remote installer script at runtime (https://sup.soma.org) and is presented as a required dependency for the workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly integrates with a blockchain wallet and on-chain transaction APIs. It requires a SOMA_SECRET_KEY, shows using soma wallet commands and Keypair.from_secret_key, and contains explicit functions to send transactions: submit_data, create_model (with stake/commission), commit_model/reveal_model (commit-reveal on-chain), claim_rewards, merge_coins, get_balance, and other bond/coin/gas operations. These are direct crypto/blockchain signing and token management actions (moving tokens, staking, claiming rewards), not generic API or browser automation. Therefore it provides direct financial execution authority.