zapier-israeli-integrations

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on external webhook/API data—e.g., Cardcom IndicatorUrl and other Webhooks by Zapier in "Step 5: Set Up Webhook-Based Israeli Integrations" and Example 1 (auto-receipt) as well as calls to Morning and the Tax Authority API—so untrusted third‑party payloads are read and used to drive filters and follow-up actions like creating invoices and requesting allocation numbers.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for billing and payment automation and includes concrete, payment-specific integrations and actions. It names and details payment gateways (Cardcom, Tranzila, Grow/ Meshulam), describes how to configure Cardcom's IndicatorUrl and Tranzila/ Grow webhooks, and instructs creating receipts/invoices via Morning (Green Invoice) REST API (including API key/JWT usage and Custom Request examples). It also references calling the Tax Authority allocation API for Invoice Reform thresholds and handling Bit payments via gateway providers. These are specific payment/payment-processing APIs and workflows (not just generic HTTP or browser automation), so the skill grants direct financial execution capability.