claude-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Agent SDK section includes a concrete example that passes a built-in web_search tool (tools=[{"type":"web_search_20250305", "name":"web_search"}]) to the agent and the workflow shows tool results being appended into the agent messages, so the agent fetches and ingests public web content which it reads and uses to drive subsequent actions—exposing it to untrusted third‑party content and potential indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes a specific tool named "process_refund" with an input schema and the explicit description "Process a refund for a completed order" — i.e., initiating a refund/transaction. That is a concrete financial execution capability (moving money). Other financial tools shown (get_stock_price, calculate_metrics, generate_report) are analysis/read-only, but the presence of process_refund constitutes direct financial execution authority.