agent-auth-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly fetches and caches provider configuration from arbitrary provider URLs (e.g., "auth-agent discover" reads /.well-known/agent-configuration) and requires running "describe" to load capability definitions/input schemas from those providers, meaning untrusted third‑party content is read and used to determine execution behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The CLI explicitly exposes and demonstrates a financial capability named "transfer_money" — including commands to describe and execute it (auth-agent execute transfer_money --args '{"amount": 50, "to": "alice"}') and examples of connecting an agent with that capability and applying constraints on transfer amounts. It also shows signing JWTs scoped to transfer_money. These are specific, explicit tools/functions for moving money, not generic actions, so this grants direct financial execution authority.