pledgeling

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill's SKILL.md explicitly instructs the agent to run Membrane actions and to use "membrane request CONNECTION_ID /path/to/endpoint" (Proxy requests section) to fetch data from the Pledgeling API, meaning the agent will ingest and act on third-party platform data that could contain untrusted/user-provided content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill invokes and depends on the Membrane CLI at runtime (e.g., "npm install -g @membranehq/cli" and "npx @membranehq/cli@latest"), which causes remote code to be fetched from the npm registry (e.g., https://registry.npmjs.org/@membranehq/cli) and executed, so this external dependency directly controls execution during runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated integration for Pledgeling, a charitable-giving/donations platform (it explicitly lists Campaign and Donation entities). It exposes Membrane CLI actions and a proxy that can run arbitrary HTTP methods (POST/PUT/PATCH/DELETE) against the Pledgeling API with authenticated requests and credential handling. That combination is specifically designed to interact with donation/payment data and can be used to create or modify donation-related transactions — i.e., it is expressly about a payments/donations system rather than a generic tool. Therefore it provides direct financial execution capability.