acp-delegated-payment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Before writing code" steps explicitly require fetching live, public third-party docs (e.g., https://developers.openai.com/commerce/specs/payment/, https://docs.stripe.com/agentic-commerce/concepts/shared-payment-tokens, and web-searching GitHub for the delegate payment OpenAPI spec), so the agent will ingest and act on external web content (including user-hosted GitHub content) that can materially influence its implementation decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed for payment processing. It targets Stripe's delegated payment / SharedPaymentToken (SPT) flow, references PSP (payment service provider) endpoints (e.g., POST /agentic_commerce/delegate_payment), describes obtaining a single-use token and using it to complete charges, and instructs fetching Stripe and delegated-payment OpenAPI docs. This is a payment-gateway integration (tokenization, provisioning, and completion of payments) — i.e., a tool whose primary definition is to move money.