advanced-features-2025

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly lets the agent configure and talk to external MCP servers and HTTP/SSE endpoints (references/mcp-patterns.md shows arbitrary URLs and services like GitHub/Slack/Stripe) and to auto-install plugins from external marketplaces (references/team-distribution.md), so the agent can ingest and act on untrusted, user-generated third‑party content as part of its workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill's MCP Server Integration section explicitly shows a Stripe configuration ("stripe" mcpServer with STRIPE_API_KEY). Stripe is a payment gateway, and this example demonstrates a specific integration for a payment service (use of STRIPE_API_KEY), which constitutes a direct financial execution capability. While most of the skill is general plugin infrastructure, the explicit Stripe example (and guidance to document required env vars for secrets) meets the criterion for a payment-gateway integration.