payment-assistant

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly decodes and ingests untrusted, user-supplied QR content (from images, clipboard, base64 or --raw_qr) and then uses that content to choose payment type, determine amounts and drive API calls/flow (see SKILL.md "How to Handle QR Images" and payment_skill.py action_decode_qr / action_purchase and extension/* detect/purchase), so third‑party QR data can materially influence tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment processor. It includes named payment APIs/endpoints (e.g., /binancepay/.../confirmPayment, /binancepay/.../parseQr, /binancepay/.../queryPaymentStatus), CLI actions that perform transactions (purchase → pay_confirm → poll), automatic routing for C2C and PIX QR payments, wallet auto-deduction, and configuration requiring PAYMENT_API_KEY / PAYMENT_API_SECRET and a bpay.binanceapi.com base_url. These are specific, purpose-built financial operations (creating orders, confirming and submitting payments, checking limits, and polling final payment status), not generic tooling. Therefore it grants Direct Financial Execution Authority.