acp-payment-handlers

Warn

Audited by Snyk on Mar 19, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). SKILL.md's "Before writing code" section explicitly instructs the agent to fetch live docs from public third-party sites (web-search GitHub RFCs for agentic-commerce-protocol, https://developers.openai.com/commerce/specs/payment/, and docs.stripe.com), which the agent is expected to read and use to determine handler/instrument schemas and runtime behavior, creating a clear vector for untrusted content to influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly about implementing payment handlers and describes concrete payment flows and integrations. It references Stripe tokenized payments (SPT), states the agent "provisions SPT via Stripe" and "sends SPT ... in complete" and that the "Merchant charges via Stripe using the SPT." It also defines handler fields like requires_delegate_payment and describes seller-backed payment methods (gift cards, saved cards, store credit) that enable a merchant to directly process payments. These are specific, named payment gateway and payment-execution mechanisms (Stripe/delegated payment and merchant-side charging), not generic tooling, so the skill grants direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 19, 2026, 07:32 AM
Issues
2
Security Audit — snyk — acp-payment-handlers