pp-openrouter

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches data from the OpenRouter API — for example "generation list-content" returns stored prompt/completion content and "providers degraded" polls /providers and per-model /endpoints — so the agent ingests untrusted/user-generated third-party content that can directly influence routing, tool choices, and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill mandates installing and running remote code (via "npx -y @mvanhorn/printing-press install openrouter --cli-only" or "go install github.com/mvanhorn/printing-press-library/library/ai/openrouter/cmd/openrouter-pp-cli@latest"), which fetches and executes external code that the agent depends on at runtime to produce/format prompts and outputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit spend-control and billing-related commands: notably the "budget" command that can "Set a weekly USD cap per cron job (budget set scan-pipeline 2usd)" — i.e., it updates monetary caps/controls. It also exposes credits/usage endpoints (credits, usage cost-by, usage anomaly) for querying and managing spend attribution. Because it includes an API to set/update USD budgets (a direct financial control), it meets the criterion for Direct Financial Execution.