ucp-checkout-rest

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to "Fetch live spec" via web-search and to fetch pages from the public site ucp.dev (e.g., site:ucp.dev specification checkout-rest and https://ucp.dev/specification/reference/), meaning the agent will ingest and act on untrusted public web content that can change endpoint behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs the agent to fetch live spec pages during runtime (e.g., https://ucp.dev/specification/reference/ and the site:ucp.dev checkout-rest page) and use that fetched content to determine endpoint shapes and behavior, so the external content directly controls the agent's instructions and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a checkout/payment REST API: it defines create/update/complete/cancel checkout session operations, mandates idempotency and request-signature headers for payment integrity, and explicitly instructs the Business to "Handle Complete by processing payment credential, creating order" and the Platform to "acquire payment credential, call complete". These are specific, payment-oriented actions to process payments (move money) rather than generic HTTP or automation capabilities. Therefore it provides direct financial execution capability.