budget-optimizer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and script explicitly pull campaign/adset insights via the third-party "social" CLI (see scripts/budget-optimizer.sh: social --no-banner marketing insights/status and SKILL.md step 1 "Pull campaign and adset level insights"), ingesting fields like campaign_name, spend, CTR/CPC (arbitrary strings and metrics) which the agent parses and uses to drive ranking and budget recommendations—exposing it to untrusted, user-generated third-party content that can influence decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is specifically for ad spend management and explicitly describes recommending and executing budget shifts. It includes domain-specific scripts (./scripts/budget-optimizer.sh recommend), an invocation workflow that calculates recommended budget shifts (% based), and safety notes that it "waits for explicit 'yes' before executing" and "Never adjust budget without explicit approval" — indicating the skill can apply budget changes (i.e., update ad spend). Managing ad spend budgets (with ability to execute changes) falls under Direct Financial Execution per the rules, so this is not a generic tool and should be flagged.