eventzilla

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly instructs the agent to call Eventzilla (via membrane action run and membrane request) to fetch event/attendee/transaction data (see "Popular actions" and "Proxy requests" in SKILL.md), which are untrusted, user-generated third-party contents the agent is expected to read and could materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes Eventzilla-specific actions for creating and managing checkouts and orders (Create Checkout, Prepare Checkout, Confirm Order, Cancel Order) and for retrieving transaction data (Get Transaction, List Event Transactions). These are explicit payment-related operations in a ticketing/payment flow (creating/confirming orders/transactions), not generic tooling. That constitutes direct financial execution capability.