printing-press-catalog

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The Install workflow explicitly downloads external API specs from each catalog entry's spec_url using curl ("curl -sL -o "$SPEC_TMP" "<spec_url>"") and feeds those untrusted third-party specs into the generator, meaning remote content is fetched and directly influences generation/tooling behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Install workflow downloads an external spec at runtime via curl ("curl -sL -o "$SPEC_TMP" "<spec_url>"") using the spec_url from catalog/.yaml and immediately feeds that fetched spec into printing-press generate, so external spec URLs (spec_url) can directly control generated code and thus agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The catalog explicitly includes payment processors (e.g., "stripe
• Payment processing and financial infrastructure API" and "square
• Payment processing and commerce API") and provides an "install " workflow (examples: "/printing-press-catalog install stripe") that downloads an API spec and generates a runnable CLI for that API. Generating and installing a provider-specific CLI (e.g., Stripe) can produce tools that call payment endpoints (create charges, refunds, transfers, etc.), so this skill directly enables use of payment gateway APIs rather than being a purely generic automation tool. Therefore it contains specific payment gateway capabilities that can move money.