sf-payments

Warn

Audited by Snyk on Jun 29, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The required workflow includes “Web-fetch the Salesforce Payments setup guide and B2C payment hook documentation” and other “Web-search” steps, which can pull outsider-authored free text from public web pages into the agent’s LLM context at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly and specifically about payment processing and contains direct financial execution capabilities. It defines the authorize/capture/refund/void lifecycle, references integrating with payment processors (Stripe, Adyen, PayPal), and provides concrete hook/method names and code patterns (authorize, capture, refund, sale) including a PaymentGatewayAdapter Apex interface to implement processor API calls and return transaction IDs/status. It also discusses storing API keys, tokenization, webhook verification and handling captures/refunds/voids — all explicit operations that move or manage funds rather than generic tooling. Therefore this skill grants direct financial execution authority.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 02:50 PM
Issues
2
Security Audit — snyk — sf-payments