x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation explicitly describes fetching and interpreting PaymentRequired/Discovery data from public facilitators and resources (e.g., references/extensions.md "Bazaar" with GET /discovery/resources and references/transports.md "MCP Transport" where servers return PaymentRequired in structuredContent), which are open/public third‑party endpoints whose untrusted, user-provided content the client/agent is expected to parse and act on (influencing tool selection, payment, and subsequent actions).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and primarily designed to perform on-chain payments. It defines a payment protocol (x402) for programmatic crypto micropayments, includes client-side signing with private keys, facilitator APIs that settle transactions on-chain, and SDKs/schemes for EVM (EIP-3009/Permit2), Solana (SPL transfers), Stellar (SEP-41), Aptos, etc. Example code shows creating buyers/sellers, registering signers (privateKeyToAccount), automatic payment handling on HTTP 402, and facilitator settle/verify endpoints. These are specific payment/gateway and crypto wallet/transaction capabilities intended to move value, not generic tooling.