ap2-intent-mandate

SUSPICIOUS. The skill is not overtly malicious and its external references appear official, but it combines live web/GitHub ingestion with Write+Bash permissions and targets autonomous purchasing. The main concern is a coherence gap: it instructs implementation of a human-not-present AP2 Intent Mandate even though the public spec evidence indicates v0.1 primarily supports human-present flows. This is best classified as medium risk due to prompt-injection exposure and finance-adjacent autonomy, not credential theft or malware.