ai-sdk-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md shows runtime ingestion of dynamic MCP tool definitions (experimental_createMCPClient -> mcpClient.tools() using an external MCP server/process, e.g., "npx -y @modelcontextprotocol/server-filesystem"), which fetches untrusted third‑party tool definitions that are incorporated into the agent's tools/prompt and can materially alter tool use and agent behavior, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes an MCP client using a stdio transport that runs "npx -y @modelcontextprotocol/server-filesystem" at runtime, which fetches and executes remote npm package code to supply MCP tool definitions that become part of the agent prompt and thus directly control instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes an explicit payment tool example: a tool named "payment" with an inputSchema ({ amount }) and an execute handler whose comment is "process payment". The Tool/Agent guidance also discusses dynamic approval based on payment amount (needsApproval for amount > 1000). Although it doesn't call Stripe/PayPal by name, the tool is explicitly defined to perform payment processing (i.e., move money), so it is specifically designed for financial execution rather than being a generic utility.