ap2-payment-mandate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md "Before writing code" section explicitly instructs fetching live docs from public sites (e.g., https://ap2-protocol.org/specification/ and web-searching public GitHub) so the agent will ingest and act on untrusted third‑party content that can influence its implementation decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically about payment authorization flows and integration with the payment ecosystem (payment networks, issuers, merchant payment processors, tokenization, DPAN tokens, and user cryptographic authorization). It defines a Payment Mandate schema that is used to authorize and route payments, includes tokenized payment credentials and user signatures, and describes the flow that leads to payment authorization. This is not a generic tool; it is specifically designed for financial operations and payment execution/authorization, so it grants Direct Financial Execution authority risk.