webflow-core-workflow-b

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Form Submissions" section explicitly calls webflow.forms.listSubmissions (see getFormSubmissions/exportFormData) to fetch and iterate over formSubmissions.formData — user-generated, untrusted form data from public sites that the agent is expected to read and could materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit ecommerce APIs (create/update products with prices, manage orders, update order status to "fulfilled", and—critically—calls webflow.orders.refund to refund orders). The presence of an order-refund API constitutes a specific payment-related action (moving money/issuing refunds), so this is direct financial execution capability.