sap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes code and examples that embed credentials verbatim (e.g., exporting SAP_CLIENT_SECRET and constructing an Authorization header from client-id:client-secret and a literal Password in the B1 login), which would require the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on external, user-generated webhook/API payloads (e.g., the Step 5 Shopify webhook handler app.post("/webhook/shopify/order") and other externalApi polling flows) and uses that content to drive automated SAP API actions, so untrusted third-party content can materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes APIs and example code to create financial transactions in ERP systems: it demonstrates creating sales orders, purchase orders, invoices, and posting incoming payments (e.g., the SAP Business One Service Layer POST to /Invoices and POST to /IncomingPayments with CashSum and PaymentInvoices). Those are specific, purpose-built financial operations (creating invoices and recording/applying payments) rather than generic automation or generic HTTP calls. Therefore it provides direct financial execution capability.