ucp
Warn
Audited by Snyk on May 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call merchant-hosted endpoints (e.g.,
ucp discover --business <url>,ucp <op> --input-schema --business <url>, and catalog/checkout calls) and to read merchant-provided responses (result.messages[], cta.description/commands, result.totals[]) from those third-party merchant URLs, which are untrusted external content that the agent must interpret and which can change subsequent actions (escalation, checkout, follow-on commands).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly an e-commerce checkout and order-placement toolkit. It provides merchant-scoped transactional commands (ucp cart create/update, ucp checkout create/update, and especially ucp checkout complete) that are defined to assemble carts, complete checkouts, and place orders ("completed → order placed"). These are specific, purpose-built operations to execute purchases (i.e., move money via merchants), not generic HTTP or browser actions. Therefore it grants direct financial execution capability.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata