ap2-payment-processor

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch protocol specifications and requirements from ap2-protocol.org, which is not an established trusted vendor.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests data from external partners and unverified documentation while possessing powerful tool capabilities.
  • Ingestion points: Documentation from ap2-protocol.org, payment mandates from the Merchant Agent, and credentials from the Credentials Provider.
  • Boundary markers: Absent; no instructions are provided to separate external data from the agent's core instructions.
  • Capability inventory: Tools include Bash, Write, Edit, WebFetch, and WebSearch, which could be exploited if malicious commands are injected via data.
  • Sanitization: No validation or filtering of external inputs is specified.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-payment-processor