nadfunagent

clawhub:nadfunagent

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Autonomous agent spawning PROMPT_INJECTION_017

prompt-injection L1097

Detects autonomous sub-agent or cron-based execution without human oversight

cron job (run + Autonomous

FIX

Remove directives that force the agent to call specific tools or APIs not required for the skill's stated functionality. Tool calls should be determined by user intent, not embedded directives.

FP?

Likely FP if the skill legitimately needs to call other tools as part of its workflow (e.g., a deployment skill that calls git and cloud CLI tools).

LOW

External API response used without validation THIRDPARTY_004

third-party-content L231

Detects patterns where external API responses are used directly without validation or sanitization

endpoint
2. Parse JSON response + directly (all trading use

FIX

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

FP?

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.