repairshopr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md explicitly allows fetching arbitrary RepairShopr data via Membrane actions and proxy requests (e.g., "membrane action run" and "membrane request CONNECTION_ID /path/to/endpoint") and enumerates user-generated content types like Forum, Tickets, Reviews and Knowledge Base, so the agent will ingest third-party user-provided content that could influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is a specific integration with RepairShopr (a CRM that includes invoicing and payments). The prompt explicitly lists domain objects and actions tied to money: "Payment", "Invoice", "Refund", "Chargeback", "Register", "Revenue Report", etc. It also documents running Membrane actions and proxying requests (POST/PUT/PATCH) to RepairShopr endpoints with authenticated credentials handled by Membrane.

Because the connector is purpose-built for RepairShopr (not a generic browser or HTTP tool) and includes payment/refund/chargeback/register functionality and the ability to execute actions/requests against the RepairShopr API, it provides explicit capabilities to create or modify financial transactions. That meets the "Direct Financial Execution" criteria.