x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's client middleware explicitly fetches and parses Payment-Required / X-PAYMENT headers from arbitrary external endpoints (see references/client-guide.md and SKILL.md examples like GET "https://premium-api.example.com/protected"), treating those untrusted third-party responses as payment requirements and using them to select signing/settlement actions, so remote content can directly change agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly and specifically designed to perform blockchain payments and settlement. It provides client libraries and middleware to "automatically pay via the x402 protocol," accepts any ERC‑20/native token, shows examples using a PrivateKeySigner (private key) to sign payments, documents facilitator components that verify and "POST /settle" to execute on‑chain transactions, and describes gasless payment flows (EIP‑3009, Permit2, EIP‑2612). These are concrete crypto/blockchain payment and signing capabilities (not generic HTTP or browser automation), so the tool's primary purpose is to move value on‑chain.