rye-universal-checkout

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow explicitly calls the Product Lookup endpoint (GET /api/v1/products/lookup?url=...) — described in references/api-reference.md and references/buy.md — which fetches data from arbitrary public product URLs and returns merchant-provided fields (name, description, images, price) that the agent is expected to read and use to decide whether to proceed with a purchase, exposing it to untrusted third-party content that could carry indirect prompt-injection payloads.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute real purchases: it provides API endpoints and SDK methods to create checkout intents and perform single-step purchases (POST /checkout-intents/purchase), acts as merchant-of-record, and uses tokenized payments via Stripe. This is a specific payment/checkout integration intended to move money and place orders on behalf of users.