acp-payment-handlers
Warn
Audited by Snyk on Mar 19, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). SKILL.md's "Before writing code" section explicitly instructs the agent to fetch live docs from public third-party sites (web-search GitHub RFCs for agentic-commerce-protocol, https://developers.openai.com/commerce/specs/payment/, and docs.stripe.com), which the agent is expected to read and use to determine handler/instrument schemas and runtime behavior, creating a clear vector for untrusted content to influence actions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly about implementing payment handlers and describes concrete payment flows and integrations. It references Stripe tokenized payments (SPT), states the agent "provisions SPT via Stripe" and "sends SPT ... in
complete" and that the "Merchant charges via Stripe using the SPT." It also defines handler fields likerequires_delegate_paymentand describes seller-backed payment methods (gift cards, saved cards, store credit) that enable a merchant to directly process payments. These are specific, named payment gateway and payment-execution mechanisms (Stripe/delegated payment and merchant-side charging), not generic tooling, so the skill grants direct financial execution capability.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata