retool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md instructs the agent to run Membrane actions and proxy requests (e.g., "membrane action run" and "membrane request") against Retool connectors — including user-generated/public sources like Slack, Discord, GitHub, and public APIs listed in the connector list — which the agent would retrieve, read, and could use to drive subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The Retool skill explicitly exposes and documents connectors and actions for payment and banking services (examples: Stripe / Stripe Billing / Stripe Checkout / Stripe Connect / Stripe Issuing / Stripe Treasury, Square Payments / Square Refunds / Square Orders / Square Invoices, Plaid, QuickBooks, Xero). It also describes running actions and proxying requests (including POST/PUT/DELETE with JSON bodies) via Membrane with authenticated connections. Those are specific financial APIs and actions (payments, refunds, banking/treasury, Plaid) — not merely generic browser or HTTP tooling — and therefore grant direct financial execution capability.