ucp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses arbitrary platform discovery profiles from external URLs (see lib/ucp/negotiation.ts's fetch(platformProfileUrl) and the MCP endpoints that accept platform_profile_url), so untrusted third‑party JSON can be ingested and used to negotiate capabilities and shape responses.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to implement ecommerce checkout and payment handling. It includes specific payment integrations and execution paths: references to Stripe (lib/ucp/handlers/stripe.ts), an environment variable STRIPE_SECRET_KEY, a payment handler registry, a processPayment function that "integrate[s] with Stripe, etc.", and endpoint/tools that perform "complete checkout" with payment_data (e.g., ucp_complete_checkout). These are concrete payment gateway integrations and APIs for processing/capturing payments (not generic HTTP/click automations), so it grants direct financial execution authority.