printing-press-catalog

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly downloads external API specs from each catalog entry's spec_url (see the "Install" workflow where it runs curl -sL -o "$SPEC_TMP" "<spec_url>") and then feeds those untrusted third‑party specs into printing-press generate, allowing external content to materially influence generation and subsequent tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The install workflow performs a runtime curl of the catalog entry's spec_url (curl -sL -o "$SPEC_TMP" "<spec_url>"), and the downloaded spec is directly fed into printing-press generate to control code generation (i.e., external content influences and drives code that will be built/run), so this runtime fetch meets the criteria for a risky external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists and provides installation for payment gateway CLIs (e.g., "stripe", "square") and includes an example command (/printing-press-catalog install stripe) that downloads the API spec and generates a CLI for that payment API. Although the skill is a general catalog generator, it specifically exposes tooling to create and install CLIs for payment providers (Stripe, Square), which are direct financial APIs. This enables direct integration with payment gateways and therefore meets the "specific tools/APIs for payment gateways" criterion.