convex-http-actions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill defines HTTP webhook endpoints (e.g., /webhooks/stripe, /webhooks/github, /webhooks/clerk) that parse and act on arbitrary external request bodies from third-party services and then run internal actions/mutations based on those payloads, so untrusted third-party content is ingested and can materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes explicit Stripe/payment gateway integration: it constructs a Stripe client with STRIPE_SECRET_KEY, verifies Stripe webhook signatures, and handles payment-related events (e.g., "checkout.session.completed", subscription updates) that call internal payment/subscription mutations. This is a specific payment gateway integration (not a generic HTTP tool), so it grants direct financial execution capabilities.