elevenlabs-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports Server Tools/webhooks that call arbitrary public APIs (e.g., "https://api.weather.com/v1/current"), MCP tool integrations and RAG knowledge bases that ingest documents and connect to third-party sources like Google Drive/Notion, and the agent is expected to read and use those external results during conversations—exposing it to untrusted, user-generated third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The embed script https://elevenlabs.io/convai-widget/index.js is included as a client-side runtime dependency (widget) that loads and executes remote JavaScript which controls the agent UI/behavior, meeting the criteria for a runtime remote-code dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents server-side tool/webhook configurations and lists "Process payments (Stripe, PayPal)" as a primary use case. It also exposes secret variable patterns like {{secret__stripe_api_key}} and shows server tool/webhook examples and CLI commands to add and execute webhooks. These are concrete, payment-gateway-specific integrations (not just generic HTTP or browser automation), which grant the agent the ability to call payment APIs and move money.