prometeo-openbanking

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly states that Membrane connections and proxy requests fetch data from external Prometeo APIs and that the connection's clientAction.agentInstructions (returned by the external connection) can contain instructions for the AI agent to follow, so untrusted third-party content (from the remote app/connector or API responses) may be read and used to drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues a runtime call using membrane (membrane connection ensure "https://prometeoapi.com/en/") and the Membrane responses can include clientAction.agentInstructions (remote instructions for the AI), while the Membrane CLI is a required external dependency that is fetched/installed, so the external URL https://prometeoapi.com/en/ can deliver content that directly controls agent prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an integration for Prometeo OpenBanking — an API platform that explicitly allows businesses to "access banking data and automate payments across different banks in the region." The skill documents how to discover and run Prometeo actions via the Membrane CLI (membrane action run ... --input ...) and how to proxy arbitrary requests to Prometeo endpoints (membrane request ... with HTTP method, headers, body). Membrane handles authentication/credential refresh so an agent can invoke those APIs programmatically without manual key handling. Because this is a purpose-built open banking integration (explicitly supporting payments and transactions) and provides direct mechanisms to invoke endpoints that can move money, it meets the criteria for Direct Financial Execution.