mpp-tempo-method

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md "Before writing code" steps explicitly require fetching live docs from public sites (https://docs.stripe.com/payments/machine/mpp, https://mpp.dev/overview) and web-searching GitHub/the open web, so the agent must read untrusted third‑party content that can change configuration and behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to handle financial transactions. It defines a Tempo blockchain payment method for USDC, includes server-side code that configures secret keys, recipient addresses, and a tempo.charge(...) method, and shows direct Stripe PaymentIntent creation for crypto deposits (including preview API usage and deposit addresses). It also discusses refunds via the Stripe Refunds API, monitoring receiving wallets, and use of private keys. These are concrete payment gateway and crypto/blockchain integration capabilities intended to send/receive and settle funds — not generic tooling. Therefore it grants direct financial execution authority.