b2a-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's handlers explicitly fetch and ingest external data (e.g., the lookup handler fetches from "https://api.example.com/${ctx.input.id}" and the aggregate handler calls aggregateFromSources with multiple sources), and the doc explicitly targets public data types like "News & Events" and "Social Signals", so untrusted third‑party content would be read and used to produce agent outputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a payments integration and priced endpoints: the template imports and uses a payments plugin (payments, paymentsFromEnv) and defines per-endpoint price fields (e.g., price: { amount: 1000 }). That is not just a generic API caller or billing comment — it embeds payment-handling functionality to charge callers for access. Because it contains explicit payment-handling code/constructs intended to collect money for API calls, it constitutes direct financial execution capability.