setup-services

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md instructs fetching and executing external code from public third-party sources—e.g., curl https://openspend.ai/install and configuring an MCP server that runs "npx -y @coinbase/payments-mcp" (npm)—which the agent is expected to use/run and whose outputs could materially influence tool behavior and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs running a remote installer (curl -fsSL https://openspend.ai/install | sh) — and also relies on runtime fetching/executing packages via npx (npx -y @coinbase/payments-mcp) — both of which fetch and execute remote code during runtime, making them high-risk external dependencies.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly configures and instructs use of a Coinbase Payments MCP ("@coinbase/payments-mcp"), includes commands and config to invoke that payments provider via npx, and gives workflow steps for authenticated wallet access (check_session_status, show_wallet_app, get_wallet_address, get_wallet_balance) and for making paid requests (x402 discovery, make_http_request_with_x402, "route payment through @coinbase/payments-mcp", and guidance on maxAmountPerRequest). These are specific payment/crypto wallet integration steps (not generic automation) that enable sending or authorizing payments, so it grants direct financial execution capability.