python-data-pipelines

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and processes untrusted third‑party content — e.g., SKILL.md and references state "Bring data into the SaaS from outside systems and unstructured inputs — APIs, files, images, PDFs" and references/etl-external-apis.md and references/pdf-extraction.md show fetching external APIs (httpx/Stripe client) and parsing user-uploaded PDFs/images (ocrmypdf/pytesseract), which the agent is expected to read and act on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets financial integrations: it names Stripe and "payment gateways", "bank feeds", and shows concrete code using a StripeClient to sync invoices (per-tenant API keys, watermarks, upserts, DLQ handling). Those are specific payment/banking APIs (not generic browser or HTTP tooling) and therefore meet the "payment gateways / banking APIs" criterion for Direct Financial Execution risk.