acp-payment-handlers

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to provision and then send payment instrument credentials (e.g., Stripe SPT tokens, gift card numbers/PINs) as the instrument.credential in a completion, which requires including secret values verbatim in generated requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md's "Before writing code" section explicitly instructs the agent to fetch live docs from public third-party sites (web-search GitHub RFCs for agentic-commerce-protocol, https://developers.openai.com/commerce/specs/payment/, and docs.stripe.com), which the agent is expected to read and use to determine handler/instrument schemas and runtime behavior, creating a clear vector for untrusted content to influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about implementing payment handlers and describes concrete payment flows and integrations. It references Stripe tokenized payments (SPT), states the agent "provisions SPT via Stripe" and "sends SPT ... in complete" and that the "Merchant charges via Stripe using the SPT." It also defines handler fields like requires_delegate_payment and describes seller-backed payment methods (gift cards, saved cards, store credit) that enable a merchant to directly process payments. These are specific, named payment gateway and payment-execution mechanisms (Stripe/delegated payment and merchant-side charging), not generic tooling, so the skill grants direct financial execution capability.