ap2-payment-processor
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch protocol specifications and requirements from ap2-protocol.org, which is not an established trusted vendor.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests data from external partners and unverified documentation while possessing powerful tool capabilities.
- Ingestion points: Documentation from ap2-protocol.org, payment mandates from the Merchant Agent, and credentials from the Credentials Provider.
- Boundary markers: Absent; no instructions are provided to separate external data from the agent's core instructions.
- Capability inventory: Tools include Bash, Write, Edit, WebFetch, and WebSearch, which could be exploited if malicious commands are injected via data.
- Sanitization: No validation or filtering of external inputs is specified.
Audit Metadata