ucp-checkout-a2a

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — the SKILL.md explicitly requires fetching live spec pages via web-search (site:ucp.dev), pulling sample A2A agents from the public GitHub repo, and reading Business Agent Cards at third-party /.well-known/ucp endpoints, so the agent will ingest untrusted external content that can influence its messaging and actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform checkout and agent-to-agent commerce. It defines message DataPart keys for payment and authorization flows (e.g., a2a.ucp.checkout.payment_data for payment credentials, ap2.merchant_authorization for merchant JWS/ap2 mandate, and ap2.checkout_mandate for user-authorized checkout credentials). The purpose is autonomous completion of payments and checkout sessions between agents, not a generic transport or browsing tool. This is a direct financial execution capability.