openai-responses

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly uses the built-in web_search tool (see Built-in Tools Guide and templates/web-search.ts) to fetch real-time web pages/URLs and also demonstrates calling external MCP servers (templates/mcp-integration.ts), and the agent is expected to read and interpret those untrusted third-party web/MCP outputs as part of its workflow, enabling indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents MCP server integration with payment gateways, naming Stripe and providing a concrete example ("Get my Stripe balance") that uses an MCP server labeled 'stripe' with an authorization token. MCP is described as a built-in connector for external tools (Stripe, databases, custom APIs) and shows the flow for invoking those servers (including authorization and user approval). These are specific, non-generic references to a payment gateway API and an example of performing financial queries via that connector, which meets the criteria for Direct Financial Execution capability.