ap2-merchant-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md's "Before writing code" steps explicitly require fetching https://ap2-protocol.org/specification/ and web-searching GitHub for AP2 samples (public third‑party content) which the agent is expected to read and use to implement merchant behaviors, so untrusted content could inject instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a merchant-side payment-capable agent: it creates and signs Cart Mandates using the W3C Payment Request API structure, advertises supported payment methods (including a processor endpoint and merchant_id in method_data), and "supports the payment flow by forwarding to Payment Processor." These are specific payment integrations (payment processor endpoints / payment request API) rather than generic tooling, so it grants direct financial execution capability.