bitrefill-website

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md explicitly instructs the agent to browse and inspect public Bitrefill pages (e.g., using Chrome DevTools and directing to bitrefill.com/{lang}/{country}/gift-cards/?q={query}), which requires reading open/public third‑party website content that can influence actions like product selection and purchases.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides APIs and tools for making purchases and handling payments on Bitrefill: it documents the Official API (api.bitrefill.com/v2) and an MCP endpoint that expose actions like buy-products, list-invoices, and list-orders, and it notes buying and paying with crypto or card (including Bitcoin/Lightning). These are specific, purpose-built endpoints to execute financial transactions/orders (not generic browsing or scraping), and thus constitute direct financial execution capability.