pd-shared

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Generic Proxy — Making Any API Call" section (the proxy URL pattern and makeProxyRequest examples) shows the skill can fetch and ingest content from arbitrary third-party APIs (e.g., Slack, GitHub, Notion), which are untrusted/user-generated sources and could materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes a proxy that can make authenticated API calls to 2,000+ apps and explicitly lists Stripe (payment gateway) among supported app slugs. The proxy automatically injects users' credentials and supports POST/PUT/DELETE requests, so it can be used to create charges, refunds, or otherwise perform write operations against payment APIs (e.g., Stripe). Because a specific payment gateway integration (Stripe) is named and the tool is explicitly designed to proxy authenticated requests to such APIs, it qualifies as direct financial execution capability.