ap2-dev-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "Before writing code" steps explicitly instruct the agent to fetch live public resources (e.g., https://ap2-protocol.org/specification/, related topic pages, and a web-search for GitHub AP2 samples), which are third-party/untrusted web sources the agent is expected to read and use to drive implementation decisions, allowing indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The document is explicitly a payments-focused development pattern. It names payment-specific protocols and APIs (UCP's /complete_checkout payment-authorization endpoint), a crypto payment standard (x402), Merchant Payment Processor (authorization/settlement, Payment Mandate), DPANs/credentials provider, PCI compliance and recurring payment flows. These are not generic integrations but concrete payment/crypto execution patterns and endpoints for authorizing/settling payments. Therefore it contains specific tools and APIs intended to move money/authorize payments.