cookiy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on user-generated third‑party content — e.g., interview transcripts and playback_page_urls returned by cookiy_interview_playback_get (and other cookiy_* tool responses / structuredContent) — and the SKILL.md and reference workflows require the agent to read those responses and use them to drive recruitment, guide edits, report sharing, and other decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill depends at runtime on Cookiy's MCP endpoint (https://s-api.cookiy.ai/mcp), whose structured responses (status_message, next_recommended_tools, structuredContent) directly control agent prompts and workflow decisions (and the documented installer command npx cookiy-mcp fetches/executes remote code), so this external URL is a required runtime dependency that can steer agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes billing/payment tools and workflows that allow the agent to charge or add cash credit and confirm balances. It names a concrete checkout tool (cookiy_billing_cash_checkout) for "Add cash credit (USD cents) before paid actions," describes 402/checkout_url handling, and instructs confirming with cookiy_balance_get. These are specific payment/billing APIs (not generic HTTP or browser automation) that perform monetary transactions/crediting, so the skill grants direct financial execution capability.