ap2-human-not-present-flow
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch live protocol specifications and roadmap details from the ap2-protocol.org domain.- [EXTERNAL_DOWNLOADS]: The instructions recommend searching for implementation samples within the google-agentic-commerce project on GitHub, which is associated with a well-known technology provider.- [PROMPT_INJECTION]: The skill describes a flow where the agent ingests untrusted 'Cart Mandate' data from external merchants. This represents an indirect prompt injection surface. Ingestion points: Data provided by merchants during the autonomous shopping phase (SKILL.md). Boundary markers: None specified in the instructions to delimit merchant-provided data from system instructions. Capability inventory: The agent is granted Bash, Write, Edit, and WebFetch tools which could be exploited if malicious merchant data is processed. Sanitization: The skill recommends constraint evaluation (price, category, brand) but does not provide specific sanitization or escaping instructions for the natural language content within mandates.
Audit Metadata