ucp-identity-linking

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs the agent to "Fetch live spec" from the public web (searching site:ucp.dev) and to fetch https://developers.google.com/merchant/ucp/guides/identity-linking, so the agent is required to ingest external public web pages whose content can change OAuth behavior and thus materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching the live spec at runtime (e.g., https://developers.google.com/merchant/ucp/guides/identity-linking) to obtain exact OAuth requirements that would directly control implementation instructions, and it frames that fetched content as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly enables OAuth-based access tokens that grant the ucp:scopes:checkout_session scope, described as "All checkout operations (create, get, update, complete, cancel)". That scope and the guidance to include access tokens in subsequent UCP requests mean an agent holding the token can invoke checkout operations (including creating and completing checkouts), i.e., perform financial transaction actions. Although the skill focuses on identity linking, it specifically exposes a capability that allows direct checkout/payment operations, which is direct financial execution authority.