workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly demonstrates fetching arbitrary URLs (importing and using fetch, e.g., fetch("https://api.example.com/data")) and receiving external input via createWebhook/request.json() and createHook/resumeHook, which means workflows will ingest untrusted third-party HTTP/webhook content that the agent is expected to read/interpret.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The documentation includes an explicit example calling a payment gateway API: in the Idempotency section it shows a step function that calls stripe.charges.create with an idempotencyKey. That is a direct reference to executing payment transactions (Stripe). Although the framework is a general workflow toolkit, the presence of a concrete payment API call constitutes direct financial execution capability.