openai-responses

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes built-in web_search (templates and guides show tools: [{type: 'web_search'}]) which fetches real-time results from the open web, plus file_search (user-uploaded files) and MCP integrations that call external MCP servers—all of which supply untrusted third-party or user-generated content that the agent is expected to read and interpret.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill includes runtime MCP tool usage that passes server_url values (e.g. https://mcp.stripe.com) into openai.responses.create calls so the Responses API will contact those external MCP endpoints at runtime to discover/execute tools and return results that directly influence agent behavior — a remote endpoint that can control prompts/actions and execute code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents MCP server integration with payment gateways, naming Stripe and providing a concrete example ("Get my Stripe balance") that uses an MCP server labeled 'stripe' with an authorization token. MCP is described as a built-in connector for external tools (Stripe, databases, custom APIs) and shows the flow for invoking those servers (including authorization and user approval). These are specific, non-generic references to a payment gateway API and an example of performing financial queries via that connector, which meets the criteria for Direct Financial Execution capability.