marketing-retention

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and audit live public URLs and competitor sites using agent-browser/WebFetch (see "Context C -- Live Website URL / Audit Mode" in SKILL.md and the agent-browser commands in references/research-playbook.md), so it will ingest untrusted third-party web content that can influence actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's Research Mode explicitly runs agent-browser at runtime to open and extract third‑party pages (e.g., https://churnkey.co/blog), injecting that external page content into the agent's context to drive its recommendations (and even suggests installing agent-browser via npm), so external web content and remote-install code are used at runtime and can directly influence prompts/execute code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly targets payment recovery and dunning and references concrete payment gateway features and vendors (Stripe, Braintree, Chargebee, Recurly, Stripe Billing Smart Retries, Card Updater/Account Updater). It instructs inspecting billing platform integrations in codebases and enabling/configuring payment-recovery features (e.g., "enable Card Updater and Smart Retries", "Churnkey integrates directly", "check what dunning is in place (ask about billing platform)"). These are specific, payment-gateway-related operations (not generic browser or API tooling) and therefore constitute direct financial execution capability per the core rule.