skills-router

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to query skills.sh (via "npx skills find") and to add/load public GitHub skill repos (e.g., "npx skills add https://github.com/...") and then "Load the skill (view_file the SKILL.md path shown)" — i.e., the agent is required to fetch and read untrusted public skill SKILL.md files from skills.sh/GitHub which can change its subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The meta-skill explicitly routes to payment and blockchain specialist skills (e.g., "stripe-best-practices" covering CheckoutSessions, webhooks, subscriptions) and even includes a concrete Stripe API call example (stripe.webhooks.constructEvent()). It also lists blockchain/web3 skills (Solana, DeFi, NFT minting) which are specific financial/transaction domains. Because the skill explicitly references and routes to payment gateway and blockchain integrations — not just generic APIs or browser automation — it presents direct financial execution capability via those specialist skills.