extend

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs the agent to query and read third‑party provider listings and capability details on the openstall marketplace (via openstall match/discover/capability and openstall call), which are user‑provided content the agent must interpret and use to choose or delegate actions, creating a vector for indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes marketplace payment actions and account credits: it creates a marketplace account with 1,000 credits, documents pricing/fees (5% platform fee), and provides a concrete CLI command to "complete -- approve and release payment" (approve and release payment). Those are explicit financial execution operations (moving/releasing funds), not generic tooling, so it grants direct financial execution capability.