ap2-cart-mandate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's "Before writing code" workflow explicitly instructs the agent to fetch live docs from https://ap2-protocol.org/specification/ and to web-search GitHub for implementations, which are untrusted public third-party sources the agent must read and that can materially influence implementation and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching live docs at runtime (e.g., https://ap2-protocol.org/specification/ and https://ap2-protocol.org/topics/core-concepts/) which are required by the skill and would directly determine the agent's instructions/implementation for the Cart Mandate, so these external resources control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for checkout and payment authorization: it defines a Cart Mandate that embeds the W3C Payment Request API (payment_request with methodData pointing to payment processor endpoints), describes merchant and user signing for purchase authorization, and prescribes creation/signing/verification flows used in human-present transactions. This is not a generic tool—its primary purpose is to bind and authorize payments/orders and to integrate with payment processors (processor endpoint URLs). Therefore it constitutes direct financial execution capability.