fakturoid

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill fetches and displays user-generated content from the Fakturoid API (e.g., invoices, messages, inbox/OCR files, events and webhook payloads), which are third-party/untrusted texts the agent is expected to read and could contain injected instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated invoicing API integration (Fakturoid) with explicit payment-related endpoints and commands: invoice/expense "pay" and "pay-delete" operations, "invoice-payments" and "expense-payments" references, payment tracking, bank account listing, and payment methods including "paypal" and "card". These are specific financial operations (recording/creating payments and managing invoice payments), so it meets the rule for Direct Financial Execution authority.