mpp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes multiple examples that embed secret-like values verbatim (e.g., "sk-...", "0x...", secretKey: '...') and even a comment allowing an API key, which encourages the agent to place real API keys/private keys directly into generated code or config, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on arbitrary external HTTP/JSON/SSE APIs (e.g., SKILL.md "Quick Start: Client" that polyfills fetch and auto-handles 402 on fetch('https://api.example.com/paid'), the "Payments Proxy" / Proxy.create section which proxies external services like OpenAI, and notes about upstream fetches/OpenRouter SSE in the docs), so untrusted third‑party responses are fetched and used at runtime and can materially influence tool calls and agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments SDK/protocol. It provides concrete payment rails and APIs (Tempo stablecoins, Stripe cards, Lightning Bitcoin, card network tokens), SDK functions like charge(), session(), verify/settle, session/channel management, and examples that perform on-chain transactions, open/close channels, and accept/charge funds. It includes tooling to create accounts, manage private keys, and configure Stripe clients—i.e., explicit capabilities to move and settle money. This meets the "direct financial execution" criteria.