mpp-tempo-method

Warn

Audited by Snyk on Jun 29, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.95). The required workflow explicitly fetches multiple public web pages at runtime (e.g., https://docs.stripe.com/..., https://mpp.dev/overview, and web-search results), and those fetched page contents are outsider-authored free text that would be ingested into the agent’s LLM context.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly for processing payments: it defines a Tempo blockchain payment method, includes code to create tempo.charge via an Mppx server library (requiring secret keys and recipient addresses), details the USDC contract and deposit address flow, and shows creating Stripe PaymentIntents for crypto (including deposit address retrieval) plus refund logic via the Stripe Refunds API. These are specific payment/crypto APIs and functions intended to move funds and manage settlement/refunds, so it grants direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 02:51 PM
Issues
2
Security Audit — snyk — mpp-tempo-method