real-estate-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The workflow explicitly scrapes arbitrary listingUrl values using Firecrawl.extract in rules/url-to-video.md (Step 2 “Scrape Property Data”) — ingesting public third-party listing pages (e.g., Zillow) into propertyData which is then used to generate scripts and drive rendering, so untrusted page content can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The pipeline passes process.env.REMOTION_SERVE_URL into the Remotion render call (renderMediaOnLambda), which at runtime is used to fetch and execute the Remotion bundle (remote JS) required for rendering, so this external URL causes remote code execution and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists "Stripe: Usage billing" in its Integrations. Stripe is a specific payment gateway (used to create charges, manage billing, etc.), which constitutes a direct financial execution capability. Other listed integrations (Firecrawl, Supabase, Convex, Clerk, etc.) are non-financial or generic and do not change this assessment.