convex-http

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill ingests untrusted, third-party request content (e.g., webhook bodies at /webhooks/stripe, JSON at POST /api/data and /api/process, and uploaded bytes at /api/upload) and directly reads/interprets that data as part of its handlers, exposing it to indirect prompt injection risks.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly integrates with Stripe: it includes a /webhooks/stripe handler, uses stripe.webhooks.constructEvent with STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET, and calls internal.payments.handleCheckout on checkout.session.completed. This is a payment gateway integration (Stripe) and therefore a specific financial execution capability.