bankr-shopify

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Bankr Bridge workflows (Bridge 1 and Bridge 3 in SKILL.md) read customer-provided metafields (the "handle" via shop_gql / webhook payload) and pass that untrusted, user-generated string verbatim into Bankr agent prompts (POST /agent/prompt), so third-party content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill makes runtime calls that submit and execute prompts via the Bankr agent API (e.g., POST https://api.bankr.bot/agent/prompt and GET https://api.bankr.bot/agent/job/{id}), meaning remote endpoints are invoked at runtime to perform actions based on supplied prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes Bankr-specific bridges with explicit APIs and examples that move money onchain: curl calls to https://api.bankr.bot/agent/prompt that instruct the agent to "send 10 USDC to ${HANDLE} on base" or "call x402 endpoint ... and settle in USDC", use of Bankr job submission/polling endpoints, and patterns for loyalty/royalty token drops and settling draft orders. It also shows completing Shopify draft orders after verifying onchain settlement. These are concrete, purpose-built crypto/payment operations (USDC transfers, token drops, onchain settlement) rather than generic HTTP or browser actions, so the skill grants direct financial execution capability.