one

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt requires constructing CLI commands that take literal connection keys and shows examples embedding API keys (e.g., "sk-..."), so an agent would likely need to read and emit secret values verbatim (connection keys / API keys) — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on untrusted third‑party content—e.g., webhook payloads used in templates (references/relay.md shows {{payload.*}} forwarded via passthrough actions) and flow steps that read API responses/selectors to drive actions (references/flows.md and SKILL.md describe action/flow steps, dynamic flow keys, and memory sync of external platform data) — so external/user-generated content is read and can change subsequent tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes platform-specific support for payment gateways (Stripe is named multiple times) and provides commands to execute API actions against connected platforms (one --agent actions execute ...). It also includes Stripe-specific sync and query commands (e.g., sync init stripe balanceTransactions, one --agent sync run stripe, one --agent sync query stripe/balanceTransactions) and webhook/workflow examples involving Stripe events. Those are specific, explicit integrations for a payment provider and allow executing API calls that can create charges, refunds, or other money-moving operations. Therefore it grants direct financial execution capability.