ap2-human-present-flow
Warn
Audited by Snyk on Mar 31, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to "Fetch live docs" from public third-party sites (e.g., https://ap2-protocol.org/specification/ and https://github.com/google-agentic-commerce/AP2/...), which the agent must read to obtain message formats and mandate structures—allowing untrusted external content to influence its decisions and actions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a payments/checkout flow (AP2 human-present transaction). It defines payment-specific roles and actions: querying a Credentials Provider for payment methods, creating/signing Cart and Payment Mandates, sending a confirmed Cart Mandate + user attestation, and the Merchant/MPP "submits payment for processing." It also references 3DS2/OTP challenge handling and a card payment sample. These are concrete, payment-focused operations (not generic browser or API tooling) that enable sending transactions and processing payments.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata