ap2-human-not-present-flow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Fetch live docs" steps explicitly require fetching public third‑party pages (e.g., https://ap2-protocol.org/specification/ and web-searching site:github.com for google-agentic-commerce samples), which the agent must read to determine Intent Mandate fields and flow behavior, so untrusted web content could materially influence its decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about implementing an autonomous purchasing flow ("autonomous agent purchasing", "human-not-present transaction flow") that includes creating/signed Intent Mandates and a Phase ("If within bounds → SA proceeds with payment" and "Payment processing (similar to human-present Phase 4-6)"). Although it does not name a specific payment gateway, its primary and explicit purpose is to enable the agent to decide to and execute payments on behalf of the user. That constitutes direct financial execution authority.