ap2-human-not-present-flow

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch live protocol specifications and roadmap details from the ap2-protocol.org domain.- [EXTERNAL_DOWNLOADS]: The instructions recommend searching for implementation samples within the google-agentic-commerce project on GitHub, which is associated with a well-known technology provider.- [PROMPT_INJECTION]: The skill describes a flow where the agent ingests untrusted 'Cart Mandate' data from external merchants. This represents an indirect prompt injection surface. Ingestion points: Data provided by merchants during the autonomous shopping phase (SKILL.md). Boundary markers: None specified in the instructions to delimit merchant-provided data from system instructions. Capability inventory: The agent is granted Bash, Write, Edit, and WebFetch tools which could be exploited if malicious merchant data is processed. Sanitization: The skill recommends constraint evaluation (price, category, brand) but does not provide specific sanitization or escaping instructions for the natural language content within mandates.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-human-not-present-flow