pretix

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Proxy requests" workflow instructs the agent to send arbitrary requests to a Pretix API via Membrane (e.g., "membrane request CONNECTION_ID /path/to/endpoint"), which lets the agent fetch and interpret potentially untrusted/user-generated third-party content from Pretix instances that can materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated Pretix integration (a ticket-sales/payment platform) exposing domain objects like Orders and Invoices and allowing actions via the Membrane CLI and a proxy to the Pretix API. It explicitly mentions Pretix "processing payments" and documents running actions and issuing HTTP requests (POST/PUT/PATCH/DELETE) against the Pretix API — capabilities that can create orders, invoices, refunds, or otherwise trigger payment-related operations. This is a specific, finance-related integration (not a generic browser or HTTP tool), so it grants direct financial execution authority.