ifood

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). O fluxo instrui explicitamente o agente a pedir códigos de verificação (OTP via WhatsApp/SMS) e a inserir esses códigos nos campos do site via ações do browser, o que exige que o LLM manipule e inclua valores secretos/verbatim nas suas saídas de ação.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly automates a browser to navigate and scrape public sites (e.g., https://www.ifood.com.br/mercados and prezunic.com.br as shown in SKILL.md and references/browser_patterns.md), extracts and interprets DOM content (product names, prices, images, coupons, Pix codes) and then uses those extracted values to drive decisions and actions (build carts, choose substitutions, apply coupons, and place orders), which clearly exposes the agent to untrusted third‑party content that could carry indirect prompt-injection instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill contains explicit, step-by-step automation to complete checkout and place orders (iFood). It instructs the agent to select payment methods (including Pix), click the "Fazer pedido" button (class checkout-payment__submit), confirm the order modal ("Confirmar e fazer pedido"), and extract the Pix payment code for the user. Those are concrete actions to initiate/confirm payments on a payments checkout flow (iFood), not just generic browsing. Even though it requires explicit user authorization before finalizing, the skill explicitly automates sending the transaction/order and handling payment-specific data (Pix). Therefore it grants direct financial execution capability.