v0-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly imports and reads third-party GitHub repositories and env vars as part of its required workflow (see "Importing Existing Repos" — "v0 reads your existing codebase and env vars from Vercel" and the v0.chats.init/files example), meaning untrusted/user-generated code from public repos can be ingested and influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a runtime command that pulls remote project content — npx shadcn@latest add "https://v0.dev/chat/b/<project_id>?token=" — which fetches files from that URL at runtime and injects them into the codebase (i.e., remote content controlling what gets added/executed), so it is a risky external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists "Payments: Stripe" under Built-in Integrations, indicating native support for a specific payment gateway. That qualifies as a specific tool/API for financial operations (payment processing), so it grants direct financial execution capability. Other features are generic code/CI/CD and agent tools, but the explicit Stripe integration is sufficient to flag risk.