ucp-embedded-checkout

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill outlines a standard protocol (UCP) for merchant-hosted checkout escalation. It correctly identifies and requires critical security controls such as HTTPS, CSP frame-ancestors, and strict postMessage origin validation to prevent unauthorized access and data injection.
  • [SAFE]: External documentation is retrieved from trusted sources, specifically the official Google Developers portal (https://developers.google.com/merchant/ucp/guides/checkout/embedded).
  • [SAFE]: The implementation guidance includes specific instructions for iframe sandboxing using recommended attributes (allow-scripts allow-forms allow-same-origin) and explicitly prohibits dangerous behaviors like silent tokenization.
  • [SAFE]: While the skill uses WebFetch and WebSearch to ingest external specifications (Indirect Prompt Injection surface), this is done for legitimate implementation purposes targeting trusted organizations and well-known service domains.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:31 AM
Security Audit — agent-trust-hub — ucp-embedded-checkout