oneshot-commerce

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required runtime workflow for commerceSearch/commerceBuy ingests outsider-authored free text from public web content at runtime (e.g., scraping/fetching product pages or marketplace listings referenced by product_url/search results) into the agent’s LLM context for summarization/selection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes a dedicated commerceBuy API that places real purchases: it accepts product_url, shipping_address, quantity, maxCost, etc., quotes totals (subtotal+shipping+tax+fee) and completes orders (returns order_id/order_status/tracking). This is a specific payment/execution capability to move money and create paid orders (not a generic browser or HTTP tool), so it grants direct financial execution authority.