acp-checkout-rest

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's "Before writing code" step explicitly instructs the agent to fetch live docs and to web-search site:github.com for an OpenAPI YAML (alongside public docs), meaning the agent will ingest public GitHub-hosted specifications and other third-party web pages as part of its workflow, which could contain untrusted/user-generated content that materially influences implementation decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a merchant checkout API for creating/updating/retrieving/completing/canceling checkout sessions and describes sending payment data and merchant-side payment processing via a PSP (mentions Stripe and PSPs, handling SPT, 3DS flows, and idempotent payment POSTs). These are explicit payment gateway/checkout operations intended to move money, not generic tooling. Therefore it grants direct financial execution capability.