flows-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to "scrape this URL" and "search the web" and provides a call_paid_api tool that returns upstream responses from a multi-source public catalog (CDP Bazaar, PayAI, etc.), meaning the agent will fetch and read untrusted third‑party content that could contain instructions influencing its actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to initiate paid transactions on behalf of the user. It provides a call_paid_api tool that triggers payment to an upstream seller (returns actual_cost_usd and paid_to), explain_cost exposes recipient wallet/asset/network, and the platform settles sellers in USDC on-chain (Base, Solana). The skill manages user credit balance, auto-topup, and enforces daily spend caps — all features that control and execute spending. This is not a generic HTTP/click tool: its primary purpose is to spend the user's credits and pay recipients, i.e., execute financial transactions.