acp-checkout-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly directs fetching live public web docs (e.g., web-search and retrieving https://developers.openai.com/commerce/specs/checkout/ and GitHub search results for MCP SDK/examples), so the agent is expected to ingest untrusted third-party content that could contain instructions influencing tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes checkout operations as tools (e.g., create_checkout_session, update_checkout_session, complete_checkout_session) and the flow describes "Submit payment to finalize" and integration with a PSP (Stripe). These are specific payment gateway/checkout operations intended to move money, not generic tooling. Therefore it grants direct financial execution capability.