portlang

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows fetching and ingesting arbitrary public web content—e.g., the shell http_get tool using "curl -s {url}" in reference/custom_tools.md and the "api-integration" recipe in reference/field_recipes.md, plus MCP HTTP servers and the Claude Code runner (SKILL.md) which provide WebSearch/WebFetch—so the agent is expected to read untrusted third-party pages that can materially influence its tool calls and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs include runtime MCP tool examples that contact and run third‑party services or fetch+execute packages (e.g., an HTTP MCP endpoint url = "https://mcp.stripe.com" and runtime npx -y @modelcontextprotocol/server-filesystem), which will be contacted/installed during a run and can directly control tool responses and thus agent behavior — flagged URL: https://mcp.stripe.com

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly defines an MCP tool named "stripe" with a URL and Authorization header (Bearer ${STRIPE_KEY}). This is a concrete, payment-gateway integration (Stripe) able to perform HTTP calls with live credentials, which is a specific tool for moving money / interacting with payments. Generic tools (bash, HTTP, python) alone would be ignored, but the documented Stripe MCP entry is a direct financial execution capability.