workflow-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes workflow nodes that perform HTTP requests to arbitrary URLs (e.g., "{{trigger.data.api_url}}", "/api/items", monitoring RSS) and an agent node that lists "web_search" as a tool to gather up-to-date information, meaning the agent will fetch and read untrusted public web/user-generated content as part of its workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes explicit payment-related integrations and actions. The "Webhook Handler" example is specifically for Stripe (path "/webhooks/stripe", "stripe-signature", STRIPE_WEBHOOK_SECRET, and Stripe event types like "checkout.session.completed" and "payment_intent.succeeded"). The "saga_workflow" example also contains nodes named "charge_payment" with a compensating "refund_payment", indicating API-driven payment/refund operations. These are specific payment gateway/payment-operation artifacts (not just generic HTTP/webhook examples), so the skill enables direct financial execution.