create-payment-credential

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required Core flow (Step 2: "Navigate to the merchant page — browse it, read the page content, and understand how the site accepts payment") instructs the agent to fetch and interpret arbitrary merchant webpages (public third-party content) which directly determines credential type and subsequent tool actions, exposing it to untrusted indirect prompt injection via page content or headers like WWW-Authenticate.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs running "npx @stripe/link-cli", which fetches and executes remote code from the npm registry (e.g. https://registry.npmjs.org/@stripe/link-cli) at runtime, making it a required external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to obtain and use payment credentials and to complete payments via Link/Stripe. It documents commands to create spend requests (link-cli spend-request create), retrieve live card PANs (spend-request retrieve --include card), and perform programmatic 402 flows/payments (link-cli mpp pay --spend-request-id ...). It issues one-time virtual cards and shared payment tokens (SPTs) and instructs how to complete checkout flows. This is a specific payment gateway integration (Stripe/Link) whose primary purpose is sending transactions and enabling purchases on behalf of users — i.e., direct financial execution.