pp-ordertogo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and parses live content from the public OrderToGo.com platform (e.g., "restaurants menu", "orders list", "orders track" and other /m/api endpoints described in SKILL.md) and the agent is expected to read and act on that data (order planning and placement), so untrusted third-party web content could materially influence decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes commands that perform real payment submissions. It documents an "order place" command that drives a headless Chrome through Braintree DropIn to submit payment with the user's saved card and states "this is the one command that actually moves money." It also exposes payment-related commands (payment braintree_token and payment checkout) that produce/consume Braintree nonces to complete checkout. Those are specific payment-gateway integrations and thus constitute direct financial execution capability.