base44-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow includes commands that fetch remote, user-authored agent configurations (e.g., "npx base44 agents pull" described in references/agents-pull.md and the agent schema in SKILL.md), which contain freeform "instructions" that the system may read and that can materially change agent behavior, so it clearly ingests untrusted third-party content from the Base44 backend.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists connectors for external services and specifically names "stripe" as a supported connector type (not returned by list-available but treated as supported and provisioned automatically on the server side). Connectors provide OAuth/access tokens for backend functions to call external APIs, and the CLI includes commands to create/push connectors and run pre-authenticated scripts that can invoke backend functions. This is a specific, explicit integration point for a payment gateway (Stripe), which meets the "Payment Gateways" criterion for Direct Financial Execution.