acp-dev-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Before writing code" workflow explicitly instructs fetching live docs and performing web-searches of public sites (e.g., https://developers.openai.com/commerce/specs/checkout/, https://developers.openai.com/commerce/guides/production/, site:docs.stripe.com, and site:github.com agentic-commerce-protocol CHANGELOG), meaning the agent is required to ingest untrusted third‑party web content that could influence its decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about implementing payment/checkout flows (ACP commerce patterns). It contains payment-specific, non-generic instructions: required Idempotency-Key behavior for POST requests, 3D Secure challenge handling and the exact fields to return to "complete" a payment, monetary-amount safety rules, webhook signing for payment events, and references to Stripe and checkout specs. These are concrete, payment-focused protocols for initiating and finalizing financial transactions (i.e., moving money), not generic tooling. Therefore it grants direct financial execution capability.