alipay-merchant-onboarding

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly queries and parses third-party Alipay Service Marketplace listings (Step 5.2 / references/service-registration.md via a2a-pay-service.discoverBazaarServicesForMcp), which are user-provided/marketplace content the agent reads and uses to decide whether to reuse or register services, so untrusted third‑party content can influence workflow and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime install command that fetches and executes remote code via curl -fsSL https://opengw.alipay.com/alipaycli/install | bash to install alipay-cli, which is executed at runtime and is a required dependency, so this URL is a high-risk external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built for Alipay merchant onboarding and contains specific payment-gateway integrations and API calls. It requires and uses the real alipay-cli, performs MCP calls (e.g., ar-query.queryArInfosBySalesProd, ar-sign.apply, apprelease.*, file upload), and uses payment-related scopes (app:all, fast_instant_trade_pay:write, machine_pay:write, agmnt:write). These are concrete, payment-platform-specific operations (signing merchants, submitting sign-up, setting up payment-capable applications/service registration) rather than generic browser or HTTP tooling. Per the policy list (payment gateways / gateway APIs), this is a direct financial execution capability risk.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

• Hidden Unicode characters detected (1 type(s) found)