adcp-media-buy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Key Concepts state the agent "resolves the domain to retrieve the brand's identity (name, colors, guidelines, etc.) from its brand.json file" (and format_id.agent_url can point to external creative agents), which clearly requires fetching and interpreting content from arbitrary third-party domains that can influence campaign creation and tooling decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly states the agent resolves the brand domain (e.g., acmecorp.com) at runtime to fetch its brand.json, and it also uses an agent_url (e.g., https://creative.adcontextprotocol.org) to load format definitions—both are fetched during runtime and can directly influence agent prompts/instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to create and manage advertising purchases: it exposes create_media_buy (with package-level "budget", "bid_price", pricing_option_id), and update_media_buy (with "budget_change") as core operations. Those are APIs to place media-buy orders and to modify ad spend/budgets (and responses include statuses indicating execution). Managing ad spend via these specific endpoints meets the "Direct Financial Execution" criterion.