one-flow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's flow runtime executes action steps against external platforms (e.g., Stripe, Gmail, HubSpot, Shopify) and then reads and branches on those API responses via selectors and transform/code/condition steps (see "Step Types — action" and the selector examples in SKILL.md), so untrusted third-party content can directly influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes connectors and action steps for financial platforms (examples and schema reference use platform: "stripe", "quick-books", "shopify" and show action steps like searching Stripe customers and creating QuickBooks invoices with an Amount field). Flows are executed via one --agent flow execute with connection keys and specific actionIds found via one actions search/one actions knowledge, so the agent can invoke platform-specific API actions (including payment gateway or accounting endpoints) directly. This is not generic browser automation or a generic HTTP caller — it provides explicit, named integrations for payment/accounting platforms and the ability to run actions that can create invoices/transactions. Therefore it grants direct financial execution capability.