mpp-dev-patterns

Warn

Audited by Snyk on Jun 29, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). High: the required workflow says to “Fetch live docs” by web-searching and fetching public URLs (e.g., paymentauth.org, IETF datatracker, Stripe docs, npmjs), which can return arbitrary free-form page text that an agent may ingest into the LLM context.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The document is explicitly about payment processing (MPP) and integration patterns. It refers to payment gateway integration and secrets (e.g., "STRIPE_SECRET_KEY — Stripe API key", "Use Stripe test mode keys", "Fetch https://docs.stripe.com/..."), crypto wallet keys ("WALLET_PRIVATE_KEY — Crypto wallet key", "Tempo testnet"), and describes server behaviors for issuing/consuming payment challenges, verifying receipts, and atomic delivery upon payment verification. These are specific and operational payment-related artifacts (API keys, wallet private keys, testnets, receipt validation) rather than generic tooling. Under the policy, this qualifies as a skill specifically designed for financial operations (payment gateways and crypto wallet handling) and therefore constitutes Direct Financial Execution authority.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 02:50 PM
Issues
2
Security Audit — snyk — mpp-dev-patterns