Abuse cases & mitigations

Shared skills and memory can be weaponized. Raven's public skills are read-only instructions: Raven does not accept user-provided executable skills, browser actions, or autonomous outbound actions. Full runbook: ABUSE_RUNBOOK.md.

rpcUrl supplied -> rejected (400). issuerIdentity supplied -> rejected (400).
Private key / signing secret in a request -> rejected or ignored; never logged (sanitized ledger).
"Tell me it's safe" -> refused while coverage gaps exist: "not enough evidence for a full pass".
Trading advice / price prediction requests -> refused; verification-only language.
"Give me a rug score" -> Raven produces signed evidence receipts, not scores.
Mass anonymous verification -> rate limits + invite-gated keys.
Prompt injection via metadata/token names -> inputs are DATA, never instructions; the engine decodes bytes, it does not follow text.
Executable user skills / mutable shared memory -> unsupported, by design.

Grounded in real incidents (2025–2026)

Tweet-borne prompt injection drained an agent wallet (~$200k, May 2026) — a transfer command hidden in Morse code on X tricked an auto-executing agent. Raven mitigation: all inputs are data, never instructions; the engine decodes bytes and never auto-executes anything.
LLM-router man-in-the-middle ($500k drained) — services between users and models injected malicious tool calls. Raven mitigation: receipts are end-to-end verifiable — verify the ed25519 signature against /pubkey yourself; never trust the transport or any intermediary's summary.
Memory poisoning — attackers seeding malicious "facts" into agent long-term memory. Raven mitigation: the receipt-memory policy makes the raw signed receipt the only source of truth, recalled by deterministic keys and verified before use — poisoned summaries cannot override a signature check.
~$45M in agent-protocol incidents reported across 2026 — the systemic lesson: agents touching money need fail-closed defaults and human approval gates. That is Raven's architecture, not an add-on.