connic

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly tells the agent to fetch live documentation and web pages (e.g., "For any topic not covered locally, the canonical docs URL is https://connic.co/docs/v1/... Fetch with WebFetch" in SKILL.md) and exposes predefined tools like web_search/web_read_page, so the agent will read arbitrary public web content that can influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill declares MCP server endpoints (e.g. https://mcp.context7.com/mcp and http://mcp.internal:8080/mcp) which are contacted at runtime to auto-load and invoke remote MCP tools — remote code that the agent can call and which can directly affect agent behavior, so these URLs are runtime dependencies that execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents Connic's connectors and names "stripe" as one of the eleven supported connectors (connectors.md). A Stripe connector is a specific payment-gateway integration (not a generic browser/API caller) and therefore constitutes a direct financial execution capability.