openai-agent-sdk-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly advertises a webSearchTool() in the "Hosted Tools" section and shows a "Research Bot" example that uses webSearchTool() to perform internet searches, so the agent will fetch and read open/public web content (untrusted third-party sources) that can influence its decisions and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagged because the skill includes a hosted MCP server URL 'https://gitmcp.io/openai/codex' which is used at runtime to supply model context that can directly influence agent prompts/outputs, and the MCP stdio example executes remote code at runtime via the command 'npx -y @modelcontextprotocol/server-filesystem ./files', which fetches and runs remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill documentation includes an explicit example tool named "process_refund" with parameters (orderId, reason) and an execute implementation described as "Refund processed for ${orderId}". This is a specific tool whose purpose is to perform a financial action (processing a refund / moving money). Although the SDK is general-purpose, this example defines a concrete financial-execution tool rather than only generic capabilities (browser automation, HTTP callers, or roleplay). Therefore it demonstrates direct financial execution capability.