ai-sdk-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly loads dynamic MCP tool definitions at runtime (see the "MCP Tools" section and the example calling experimental_createMCPClient with transport 'npx -y @modelcontextprotocol/server-filesystem' and then await mcpClient.tools()), which ingests third‑party/untrusted tool definitions that are incorporated into the agent prompt and can therefore enable indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes an explicit payment tool example: a tool named "payment" with an inputSchema ({ amount }) and an execute handler whose comment is "process payment". The Tool/Agent guidance also discusses dynamic approval based on payment amount (needsApproval for amount > 1000). Although it doesn't call Stripe/PayPal by name, the tool is explicitly defined to perform payment processing (i.e., move money), so it is specifically designed for financial execution rather than being a generic utility.