ucp-checkout-a2a

Fail

Audited by Snyk on Mar 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires packaging sensitive items such as "payment credentials" and JWS/SD-JWT tokens into A2A DataPart messages, which would require the agent to include secret values verbatim in generated messages, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). Yes — the SKILL.md explicitly requires fetching live spec pages via web-search (site:ucp.dev), pulling sample A2A agents from the public GitHub repo, and reading Business Agent Cards at third-party /.well-known/ucp endpoints, so the agent will ingest untrusted external content that can influence its messaging and actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform checkout and agent-to-agent commerce. It defines message DataPart keys for payment and authorization flows (e.g., a2a.ucp.checkout.payment_data for payment credentials, ap2.merchant_authorization for merchant JWS/ap2 mandate, and ap2.checkout_mandate for user-authorized checkout credentials). The purpose is autonomous completion of payments and checkout sessions between agents, not a generic transport or browsing tool. This is a direct financial execution capability.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 19, 2026, 07:31 AM
Issues
3
Security Audit — snyk — ucp-checkout-a2a