x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's execute-endpoint and probe-endpoint commands (see x402.ts parseEndpointUrl and the execute-endpoint/probe-endpoint actions, and AGENT.md examples using --url) accept arbitrary HTTPS URLs and fetch/ingest their responses at runtime, meaning untrusted public third‑party endpoint content is read and used to decide payments and subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements crypto payment and wallet operations. It (a) states "Payment flows are handled automatically using the configured wallet", (b) requires an unlocked wallet to probe/execute paid endpoints and to send inbox messages, (c) provides a send-inbox-message command that performs sponsored sBTC transactions and returns txid/amount, (d) allows execute-endpoint with --auto-approve to pay for paid endpoints, and (e) scaffold commands create paid API endpoints with tokenType fields (STX, sBTC, USDCx) and recipient addresses. These are concrete blockchain/crypto payment features (sending transactions, signing/payments), not generic tooling, so it grants direct financial execution capability.