centrifuge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly instructs the agent to use "membrane action run" and "membrane request CONNECTION_ID /path/to/endpoint" to fetch/proxy live data from the external Centrifuge API (a public third-party source), which the agent is expected to read and act on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Centrifuge, an on-chain asset financing (DeFi) platform (tokenization, decentralized lending). The documentation lists "Transaction", "Invoice", and describes using the Membrane CLI to run actions and proxy arbitrary Centrifuge API requests (membrane action run, membrane request) with HTTP methods including POST/PUT/PATCH/DELETE. Membrane handles authentication/credential refresh for the connection, so the agent can invoke authenticated endpoints that create/send on-chain transactions. This is a specific crypto/blockchain financial integration (not a generic browser or HTTP tool) and therefore permits direct financial execution.