ap2-shopping-agent

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill defines a role that processes untrusted natural language data from external users and merchants, creating a surface for indirect prompt injection attacks.\n
  • Ingestion points: Natural language user intent descriptions and merchant clarification responses (SKILL.md).\n
  • Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions to isolate untrusted input from the agent's core logic.\n
  • Capability inventory: The skill uses high-privilege tools including Bash, Write, Edit, and WebFetch.\n
  • Sanitization: The implementation suggests deterministic validation for mandates, but lacks explicit sanitization for the initial natural language intent capture phase.\n- [EXTERNAL_DOWNLOADS]: The skill fetches protocol specifications and reference implementations from ap2-protocol.org and the google-agentic-commerce repository on GitHub. These are expected resources for the development of AP2-compliant agents.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — ap2-shopping-agent