vercel-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests untrusted third-party content — e.g., the fetchData tool (execute: await fetch(url)) that fetches arbitrary URLs, webhook/hook examples (createWebhook/createHook and resumeWebhook) that accept external HTTP payloads (e.g., GitHub webhooks), and the DurableAgent searchWeb tool/searchAPI which pulls web search results — so the agent is expected to read and interpret public user-generated or external web content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly shows calls to payment APIs and a Stripe example. It includes a processPayment step that calls paymentAPI. Most decisively, the idempotency example directly uses stripe.charges.create to create charges with an idempotency_key. Stripe is a payment gateway, so the skill contains specific, explicit financial execution functionality.