pipeline-crm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill uses the Membrane CLI to list and run actions against a PipelineCRM connection (e.g., via "membrane action list" and "membrane action run --connectionId=CONNECTION_ID"), which causes the agent to ingest and interpret user-generated CRM content (notes, emails, knowledge-base articles, templates, etc.) from a third-party system that could materially influence subsequent decisions or tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes payment-related entities and actions (Payment, Payment Gateway, Payment Method, Refund, Transaction, Invoice, Sales Order, Purchase Order, etc.) and is designed to run Membrane actions against a PipelineCRM connection (membrane action run ...). That combination provides specific, supported API-level operations for creating payments/refunds/transactions and interacting with payment gateways — i.e., it can directly execute financial operations rather than being a generic automation tool. Therefore it grants direct financial execution capability.