ap2-mcp-server

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Before writing code" steps explicitly require fetching live docs from public websites (https://ap2-protocol.org/specification/, https://ap2-protocol.org/topics/ap2-a2a-and-mcp/, https://ap2-protocol.org/roadmap/) and web-searching GitHub, so the agent will ingest untrusted third-party content that can materially influence implementation decisions and tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about exposing payment-capable MCP tools and lists concrete payment operations (e.g., "process_payment" — Submit a payment for processing; payment method management; mandate creation and signing; get_transaction_status). These are specific financial execution functions (submitting payments, managing payment methods, signing mandates), not generic tooling. Therefore it grants direct financial execution capability.