ap2-challenge-stepup
Warn
Audited by Snyk on Mar 31, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This SKILL.md explicitly directs the agent to "Fetch live docs" from public URLs (https://ap2-protocol.org/specification/, https://ap2-protocol.org/topics/privacy-and-security/) and to web-search GitHub and the open web for implementation examples, which the agent is expected to read and use to determine message formats and redirect/callback behavior—clearly ingesting untrusted third-party content that can influence behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs fetching the AP2 specification at runtime (https://ap2-protocol.org/specification/) to obtain "exact challenge message formats" and callback schemas that would directly determine agent prompts/behavior, creating a required external dependency that controls the agent's instructions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed for payment processing authentication: it implements AP2 challenge/step-up flows (3DS2, OTP, redirect challenges), describes how challenges are forwarded, verified, and how the MPP retries authorization and resumes payment flow after challenge completion. These are payment-specific protocols and integrations (strong customer authentication, OTP verification, callbacks to resume authorizations) that are part of executing and completing financial transactions—not a generic tool. Therefore it grants direct financial execution-related capability.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata