agentsats-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). They instruct cloning/building a GitHub repo from an individual/unknown account and using an unfamiliar custom API domain (agentsats.stacksx402.com), which can distribute executables or malicious payloads if unvetted (localhost:8083 itself is benign), so this is moderately high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The CLI explicitly calls external bitcoinagent API endpoints (default https://agentsats.stacksx402.com/ and user-supplied --api-url) and service commands for twitter/tiktok/instagram/etc (see SKILL.md, AGENTS.md, and src/commands/api.ts / src/services/bitcoinagent-api.ts), ingesting untrusted public/social API responses (including decoded payment-required challenges) which the agent reads and acts on (e.g., signing/pay retry), so third‑party content can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's OWS preview setup step explicitly clones and builds remote code at runtime from https://github.com/tony1908/core.git (checks out a pinned commit and builds the ows binary), which means fetching and executing external repository code is required for that workflow and therefore poses execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes cryptocurrency wallet and payment functionality. It documents private-key and Open Wallet Standard (OWS) wallet modes (STACKS_PRIVATE_KEY, OWS_*), x402 payment flows that require decoding a payment challenge, creating/signing a facilitator-bound STX transfer, and retrying requests with a payment-signature. It even specifies how to build and sign Stacks transactions (using ows sign tx, parsing a 65-byte signature, and injecting it into transaction bytes). These are specific crypto/blockchain transaction creation and signing capabilities — not generic tooling — and therefore qualify as direct financial execution authority.