agentic-commerce-protocol

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Capability Negotiation" flow includes a client-side checkSellerCapabilities(sellerUrl) that POSTs to an arbitrary sellerUrl/agentic-checkout/capabilities and uses the returned capabilities to decide compatibility and next actions, clearly consuming untrusted third-party responses that can influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly an "Agentic Commerce Protocol" for AI-driven commerce and includes concrete payment endpoints and flows (POST /agentic-checkout/create-checkout, /confirm-checkout), handles payment_token, and references payment processors and credentials (PAYMENT_PROCESSOR_API_KEY, processor: 'stripe'). It describes payment handler types (delegate_payment, seller-backed, payment link), supported methods (card, bank_transfer), and shows confirm-checkout processing payments and producing orders. These are specific payment integrations and transaction-executing operations (Stripe referenced), not generic tooling—therefore it grants direct financial execution capability.