elevenlabs-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests arbitrary third‑party/user‑provided content via RAG knowledge bases (uploaded PDFs/TXT/DOCX that are retrieved at runtime) and also performs HTTP/webhook/MCP calls to external public APIs/URLs (server tools and MCP integrations) which the agent uses as conversation context, so untrusted external content can influence the agent's behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports server-side tools/webhooks that can call external APIs and lists "Process payments (Stripe, PayPal)" as a Server Tools use case. It also shows secret variables like {{secret__stripe_api_key}} and examples/config patterns for server tools making authenticated HTTP requests. These items are specific to payment gateway integrations, which meet the "Direct Financial Execution" criteria.