connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs displaying API keys and connection keys (e.g., "API Key: sk_test_...9j-Y" and connection keys), and the workflow expects the agent to surface those secret values in status/list outputs, requiring the LLM to handle/output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly connects the agent to external third‑party services (e.g., Gmail, Slack, HubSpot, Notion, Calendar) via Pica and exposes MCP tools that will read and act on content from those services (e.g., "check my calendar", read/post messages), meaning the agent will ingest untrusted user-generated content from those external platforms.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists Stripe as a supported integration and exposes explicit execution primitives: "execute_pica_action" (and CLI alias pica exec <id>) to run actions on connected platforms. The skill is a connector/MCP that returns connection keys and action IDs and allows executing platform-specific actions — which for Stripe (a payment gateway) can include sending transactions, charges, refunds, etc. Because it includes a specific payment gateway (Stripe) and concrete execute-call functionality for platform actions, it meets the criteria for Direct Financial Execution.