ucp-ap2-mandates

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to "Fetch live spec" and to web-search and fetch public URLs (e.g., https://ucp.dev/2026-01-23/documentation/ucp-and-ap2/ and https://ap2-protocol.org and the GitHub conformance repo), which are open public third-party sources the agent is expected to read and use to drive implementation decisions—allowing untrusted external content to influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically about enabling autonomous payment flows: it defines Checkout and Payment Mandates, cryptographic signing (JWS detached content), merchant_authorization, a complete_checkout call, PSP verification, and a 7-step flow for agent-driven commerce. It describes the agent generating payment authorization credentials so it can authorize payments without human-in-the-loop. This is a purpose-built payment execution capability (not a generic tool), so it constitutes direct financial execution authority.