marketplacer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly allows sending proxied requests to the Marketplacer API via "membrane request" (see "Proxy requests"), which will return marketplace data (listings, conversations, messages, etc.) that are user-generated and the agent is expected to read/act on, creating a clear path for untrusted third-party content to influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a Marketplacer integration (a marketplace platform) and explicitly exposes financial resources such as "Payment", "Transaction", "Invoice", and "Credit". It also documents running actions and proxying arbitrary API requests (POST/PUT/PATCH) through the Membrane CLI to Marketplacer endpoints. Those capabilities are specific to marketplace/payment operations (not merely generic browser automation or a generic HTTP caller) and therefore can be used to create/send financial transactions or modify payments. This meets the "specific" criterion for Direct Financial Execution.