cdr-platform

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill's required workflow (e.g., "membrane action run" and "membrane request" in SKILL.md, and the linked CDR Platform docs at https://cdr.ffiec.gov) instructs the agent to fetch data from the CDR Platform API — including user-generated items like Case Notes and Documents — which the agent will read and that can materially influence subsequent actions, creating a clear path for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit, non-generic purchase functionality for the CDR Platform — e.g., a "Purchase CDR" action ("Submit a request to purchase carbon dioxide removal") and a CLI pattern to run actions (membrane action run ... ACTION_ID --json) which can execute that purchase. It also provides pricing actions ("Calculate CDR Price") and proxying to the platform API, reinforcing that this integration is designed to place purchase orders rather than merely query data. This constitutes direct financial execution capability.