x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on untrusted third‑party content — e.g., it parses PaymentRequired structuredContent from HTTP/MCP/A2A, uses the Bazaar discovery API (GET /discovery/resources) and facilitator discovery, and performs DID resolution for offer-receipt by fetching /.well-known/did.json from did:web domains — all of which the agent is expected to read/interpret and which can change verification/settlement or tool-selection behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments protocol and SDK for on-chain transactions. It provides client/server/facilitator primitives to sign payments, settle transactions on-chain, and configure wallet addresses (pay_to). Examples show constructing signers (privateKeyToAccount), submitting PAYMENT-SIGNATURE headers, and using facilitator APIs to POST /settle. It supports EVM, Solana, Stellar, Aptos, Permit2/EIP-3009, SPL/SEP-41 schemes — all specific crypto payment primitives. Its primary and explicit purpose is to move money (micropayments, paywalls, agent-to-agent payments), not a generic tool, so it grants direct financial execution authority.