stripe-link-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill consumes and acts on untrusted merchant responses—e.g., the Agent-facing MPP flow (link-cli mpp pay and link-cli mpp decode --challenge '...') expects the agent to ingest WWW-Authenticate headers and other data from arbitrary merchant URLs and uses the decoded network_id to create/pay SPTs, so third-party content can materially change subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes and runs a remote npm package via "npx @stripe/link-cli" / "npm i -g @stripe/link-cli", which fetches and executes code from the npm registry (see https://www.npmjs.com/package/@stripe/link-cli), so this runtime external dependency executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe Link CLI for creating spend requests, generating virtual cards and shared payment tokens (SPTs), retrieving full card details, and performing MPP payments (link-cli mpp pay). It is specifically designed to initiate and complete payments via Stripe Link (a payment gateway) — including commands to create spend requests with amounts, request approvals, retrieve credentials, and execute MPP pay calls. These are concrete payment APIs/operations (not generic browser or HTTP tooling), so it grants direct financial execution capability.