webmcp-tool-annotations

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "Before writing code" steps explicitly instruct the agent to fetch and web-search public third-party sites (e.g., https://webmachinelearning.github.io/webmcp/ and searches on developer.chrome.com and github.com), so the agent will read and act on untrusted web content that can influence annotation decisions and subsequent tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes an explicit "Commerce Tool Annotation Guide" that lists tool names whose primary purpose is to complete purchases and modify payments (examples: "checkout", "placeOrder" with the description "Complete the purchase and charge the payment method"). Although the document focuses on annotations, it explicitly defines and documents tools whose primary and explicit function is to move money (complete purchases/charge payment methods). That matches the "Direct Financial Execution" criteria (tools that send transactions / charge payment methods), so it should be flagged.