ucp

Warn

Audited by Snyk on May 15, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to call merchant-hosted endpoints (e.g., ucp discover --business <url>, ucp <op> --input-schema --business <url>, and catalog/checkout calls) and to read merchant-provided responses (result.messages[], cta.description/commands, result.totals[]) from those third-party merchant URLs, which are untrusted external content that the agent must interpret and which can change subsequent actions (escalation, checkout, follow-on commands).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly an e-commerce checkout and order-placement toolkit. It provides merchant-scoped transactional commands (ucp cart create/update, ucp checkout create/update, and especially ucp checkout complete) that are defined to assemble carts, complete checkouts, and place orders ("completed → order placed"). These are specific, purpose-built operations to execute purchases (i.e., move money via merchants), not generic HTTP or browser actions. Therefore it grants direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 08:12 PM
Issues
2