pay-via-agent-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and parse marketplace/service data from untrusted third-party endpoints (via circle services search/inspect, curl -s "<service-url>", and circle services pay which returns the seller's JSON/openapi responses), so seller-provided content can directly influence chain selection, request schema, payment decisions, and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent at runtime to fetch provider files (e.g., the llms.txt referenced at https://developers.circle.com/llms.txt and arbitrary seller endpoints via curl -s "") and to read those files (llms.txt/openapi.json) to shape request schemas and LLM prompts, so remote content can directly control the agent's prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to execute paid transactions: it locates paid services and calls the Circle CLI to settle micropayments in USDC. It documents and instructs use of circle services pay (which "signs the payment authorization, settles to the seller, and returns" the response), wallet balance checks, gateway deposits/funding flows, and spend-limiting flags like --max-amount. This is a specific payment/settlement workflow (moving stablecoin funds), not a generic API caller or browser automation.