ap2-human-present-flow

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill instructs the agent to fetch and process external documentation and sample implementations to guide its coding tasks, which creates a surface for indirect prompt injection.\n
  • Ingestion points: The skill uses WebFetch to retrieve content from ap2-protocol.org and github.com (SKILL.md).\n
  • Boundary markers: There are no explicit instructions or delimiters defined to isolate external content from the agent's core instructions.\n
  • Capability inventory: The agent is granted access to powerful tools including Bash, Write, and Edit, which could be used to execute instructions found in external data (SKILL.md).\n
  • Sanitization: No sanitization or verification of the fetched external content is specified before it enters the agent's context.\n- [EXTERNAL_DOWNLOADS]: Fetches technical specifications and reference implementations from ap2-protocol.org and the google-agentic-commerce repository on GitHub. These are considered official and trusted sources for the implementation of the protocol described.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-human-present-flow