openai-responses

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly uses the web_search tool (real-time web information) and MCP tool connections to arbitrary external server URLs—see SKILL.md "Built-in Tools" / references/built-in-tools-guide.md and the templates (templates/cloudflare-worker.ts, templates/mcp-integration.ts) where web_search and mcp server_url are invoked—and those third‑party results are consumed and used to drive responses and tool actions, creating a clear path for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime examples explicitly pass MCP server URLs (e.g., https://mcp.stripe.com, https://dmcp.example.com, https://db-mcp.example.com) into openai.responses.create so the Responses API will query those servers for tool definitions and invoke their call endpoints at runtime, which can directly control agent tooling/behavior and execute remote actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents MCP server integration with payment gateways, naming Stripe and providing a concrete example ("Get my Stripe balance") that uses an MCP server labeled 'stripe' with an authorization token. MCP is described as a built-in connector for external tools (Stripe, databases, custom APIs) and shows the flow for invoking those servers (including authorization and user approval). These are specific, non-generic references to a payment gateway API and an example of performing financial queries via that connector, which meets the criteria for Direct Financial Execution capability.