ucp-embedded-checkout
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill outlines a standard protocol (UCP) for merchant-hosted checkout escalation. It correctly identifies and requires critical security controls such as HTTPS, CSP
frame-ancestors, and strictpostMessageorigin validation to prevent unauthorized access and data injection. - [SAFE]: External documentation is retrieved from trusted sources, specifically the official Google Developers portal (https://developers.google.com/merchant/ucp/guides/checkout/embedded).
- [SAFE]: The implementation guidance includes specific instructions for iframe sandboxing using recommended attributes (
allow-scripts allow-forms allow-same-origin) and explicitly prohibits dangerous behaviors like silent tokenization. - [SAFE]: While the skill uses
WebFetchandWebSearchto ingest external specifications (Indirect Prompt Injection surface), this is done for legitimate implementation purposes targeting trusted organizations and well-known service domains.
Audit Metadata