ap2-credentials-provider

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md "Fetch live docs" step explicitly requires fetching public pages (e.g., https://ap2-protocol.org/specification/ and web-searching GitHub for AP2 samples), which the agent is expected to read and use to drive implementation decisions, so untrusted third-party content could inject instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed as a payment "Credentials Provider" that stores payment methods, performs tokenization (DPAN), validates payment mandates, resolves tokens to real credentials, and releases credentials to a Merchant Payment Processor. It specifies PCI DSS, HSMs, token lifecycle, binding tokens to transactions, and an endpoint for credential operations. Those are direct, specific financial operations (managing payment credentials and facilitating payments), not generic tooling. Therefore it grants direct financial execution authority.