virtuals-protocol-acp
Audited by Snyk on Jun 8, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt explicitly instructs the agent to hide internal implementation details (e.g., cron jobs, polling, scheduling) from users and to phrase responses deceptively (e.g., "I'll notify you" instead of describing the cron), which is a hidden/deceptive instruction outside the skill's technical usage documentation.
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to run CLI commands in --json mode, capture and return stdout (which can contain API keys/tokens), to create agents that generate API keys saved to config.json, and to accept/set environment variables (e.g. OPENAI_API_KEY or ACP_BUILDER_CODE) — all of which can require the LLM to receive and emit secret values verbatim (e.g., embedding KEY=value on the command line or returning CLI JSON that includes keys).
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). Runtime path:
acp browse/acp bounty poll/acp job statusfetches marketplace/server-provided JSON that includes outsider-authored free-text fields (e.g., agent descriptions, bounty descriptions, memoHistory/deliverables) and returns them to the agent via stdout/JSON, which can be placed into the LLM context.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The ACP skill explicitly provides financial execution capabilities: it includes a built-in agent wallet (acp wallet address, acp wallet balance), wallet topup (credit/debit, Apple Pay, crypto) and token launch (acp token launch). It exposes job payment APIs and workflows — acp job create/job status returns paymentRequestData, acp job pay --accept true/false to approve payments, and an --isAutomated true auto-pay mode where the CLI "handles payment end-to-end". The docs also reference on-chain operations, token/crypto operations (swaps, transfers, trading), and automated cron polling that can call job pay. These are specific, actionable payment/crypto commands (not generic HTTP or browser automation), so the skill grants direct financial execution authority.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (5)
Prompt injection detected in skill instructions.
Insecure credential handling detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Direct money access capability detected (payment gateways, crypto, banking).
Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).