gpt-pp-team-protocol-replay

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Although many listed URLs point to legitimate services (OpenAI, Stripe, PayPal, Cloudflare, local host), the package/install instructions and an unvetted GitHub repo (DanOps-1/gpt-pp-team) that fetches third‑party components (camoufox, browserforge, fetched binaries) and tells users to run setup scripts make this a high-risk source for malware/abuse.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This codebase is intentionally designed to automate and subvert payment and anti-fraud systems (Stripe/PayPal replay, hCaptcha solver, proxy/IP rotation, Cloudflare catch-all domains, mitmproxy captures) and to harvest/store refresh_tokens and other credentials—behaviors that enable payment circumvention, credential/token exfiltration, and account takeover.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly drives a browser to live third-party pages and network captures—e.g., Playwright page.goto("https://example.com/page-with-hcaptcha"), instructions to re-capture live stripe.js via devtools/mitmproxy, and parsing hCaptcha challenges—so it ingests untrusted web content (Stripe/PayPal/hCaptcha pages and network payloads) that the agent must interpret to decide actions (solve CAPTCHAs, update fingerprints), enabling indirect prompt-injection vectors.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the external vision/model API at https://api.openai.com/v1 (VLM_BASE_URL) during runtime to obtain model outputs that directly drive the hCaptcha solver's actions (i.e., remote model responses control the agent's decisions), so external content influences/controls agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to replay and complete payment/billing flows: it contains a dedicated Stripe Checkout replay module (CTF-pay/card.py) that performs "Stripe payment intent confirm", logic to poll stripe state=succeeded, and PayPal billing agreement flows ("POST https://www.paypal.com/agreements/approve"). Configuration and env vars include PayPal credentials and API tokens. The pipeline orchestrates Stripe confirm + PayPal billing agreement and includes code and instructions to maintain Stripe runtime fingerprints to successfully submit payment requests. These are specific payment gateway integrations (Stripe, PayPal) intended to send/confirm transactions, so this grants direct financial execution capability.