ap2-setup
Warn
Audited by Snyk on Mar 19, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). SKILL.md's "Fetch live docs" step explicitly instructs fetching public sites (e.g., https://ap2-protocol.org/ and the GitHub repo https://github.com/google-agentic-commerce/AP2 and sample pages) and says to read the live README/samples for exact setup commands, meaning the agent will ingest untrusted public web content that can change its setup actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs installing remote code via pip from the Git URL git+https://github.com/google-agentic-commerce/AP2.git@main, which fetches and installs/exposes third‑party code as a required dependency that will be executed during setup/runtime.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to scaffold a multi-agent payment system: it creates roles like "Credentials Provider" (payment methods, tokenization) and "Merchant Payment Processor" (payment processing), references AP2 payment/mandate types, and instructs configuring agents and credentials for processing payments. This is not a generic tool—its primary purpose is financial operations (processing payments), so it grants direct financial execution capability.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata