pp-dominos

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly queries Domino's public endpoints (e.g., GraphQL operations, menu, deals, stores, and tracking) as shown in the Command Reference and Recipes — those live third‑party website/API responses are ingested and used to drive pricing, deal selection, ordering, and tracking decisions, so untrusted external content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires installing and running code fetched from GitHub during setup (e.g., go install github.com/mvanhorn/printing-press-library/library/food-and-dining/dominos/cmd/dominos-pp-cli@latest and go install github.com/mvanhorn/printing-press-library/library/food-and-dining/dominos/cmd/dominos-pp-mcp@latest), which pulls remote source that is compiled/executed locally and thus represents executed remote code the skill depends on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a purpose-built Domino's ordering CLI with explicit commands to create, validate, price, and place orders (e.g., orders place, order-quick --confirm), plus saved templates that include payment references and a template order/reorder flow that can replay and submit payment-enabled orders. It persists auth bearer tokens for authenticated actions and the order-quick --confirm workflow explicitly "place(s) an order" and returns {order_id, eta_min, total}, i.e. it executes commercial transactions. These are specific, non-generic financial actions (sending a payment/placing an order), so this qualifies as direct financial execution authority.