alipay-pay-for-402-service

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill requires ingesting the Payment-Needed header from arbitrary HTTP 402 responses (Step 1) and then passing that untrusted, third-party content to the alipay-bot CLI and verbatim relaying/acting on the CLI output (Step 2), which can materially influence subsequent commands and actions as specified in SKILL.md.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs installing and running the npm package @alipay/agent-payment at runtime (see https://www.npmjs.com/package/@alipay/agent-payment and the command "npm install @alipay/agent-payment@1.0.0 && npx @alipay/agent-payment@1.0.0 install-cli"), which fetches and executes remote code (the alipay-bot CLI) that the agent relies on and whose output directly controls agent behavior, so it is a runtime external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly and specifically designed to perform real payments via Alipay. It instructs the agent to install and run the official alipay-bot CLI (from @alipay/agent-payment) and to execute commands that: initiate a 402 buyer payment (402-buyer-pay), obtain paymentProof/shortUrl/payment links, query payment status (402-query-payment-status), and send fulfillment acknowledgements (402-buyer-fulfillment-ack). Those are direct payment gateway operations (creating charges, obtaining payment credentials, and confirming fulfillment), not generic tooling. Therefore it grants direct financial execution authority.