accounts-payable-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and interprets vendor-supplied emails and attachments (see ingestInvoiceFromEmail in evals/three-way-matching-and-invoice-ingestion/task.md and SKILL.md guidance to forward supplier invoices to BILL/QuickBooks inboxes), meaning the agent will parse untrusted third‑party email/PDF/image content that can affect matching, approvals, and payment actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about managing payables and includes concrete, actionable payment capabilities: scheduling and initiating vendor payments (e.g., BILL schedules ACH/check payments; QuickBooks "Pay Bills" → choose payment method; Tipalti for mass global payments), and references integrating with payment/banking platforms (Stripe Treasury, Plaid). These are specific tools and flows that move money (initiate transfers/ACH/checks), not just generic automation or API callers. Therefore it grants direct financial execution authority.