toolkit

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill gives agents access to external integrations (connectors: ["*"] and pica.tools() like list_pica_integrations, get_pica_platform_actions and execute) which let the agent read and act on user-generated third‑party content (Gmail, Slack, other connected platforms) as part of its workflow, exposing it to indirect prompt injection risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The toolkit explicitly lists Stripe among supported platforms and provides an "execute" / "execute_pica_action" function that runs actions on connected platforms. It exposes platform-specific actions (25,000+ actions) and permission levels including "write" and "admin" (full automation). Because Stripe is named and the skill's primary API includes executing platform actions (which for Stripe can include charges/refunds, etc.), this is a specific payment gateway integration that grants the agent ability to move money—not just a generic automation tool.