advanced-features-2025

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports integrating external MCP servers (including HTTP/SSE URLs) and installing plugins from public marketplaces (references/mcp-patterns.md and references/team-distribution.md) and also documents "prompt"-type hooks that deliver instructions to Claude (references/hooks-advanced.md), so the agent can ingest untrusted third-party content (from external APIs, marketplaces, or user-generated sources) that can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes MCP server configs that explicitly run remote packages at runtime (e.g., "npx -y @stripe/mcp-server" and "npx -y @modelcontextprotocol/server-github") and MCP HTTP/SSE endpoints (e.g., "https://api.example.com/mcp"), which would fetch/execute remote code or connect to external servers that can provide instructions/tools to the agent at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill's MCP Server Integration section explicitly shows a Stripe configuration ("stripe" mcpServer with STRIPE_API_KEY). Stripe is a payment gateway, and this example demonstrates a specific integration for a payment service (use of STRIPE_API_KEY), which constitutes a direct financial execution capability. While most of the skill is general plugin infrastructure, the explicit Stripe example (and guidance to document required env vars for secrets) meets the criterion for a payment-gateway integration.