agentkit-x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to parse and act on the untrusted "agentkit" extension delivered inside 402 Payment Required responses (see SKILL.md Step 1) and to fetch/send requests to the challenge "uri" (Step 4), meaning arbitrary third‑party response fields (statement, nonce, uri, supportedChains) are ingested and can directly change signing and network/payment behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill parses an agentkit extension from a runtime 402 response and relies on server-provided fields (including the challenge uri https://api.example.com/data and the statement) to construct the SIWE/SIWS message the agent signs, meaning remote content fetched at runtime directly controls the agent's prompt/authorization flow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly instructs the agent to use crypto wallets and cryptographic signing to authenticate and obtain access in lieu of payment. It details wallet types (EOA and Smart Contract Wallet), specific signing methods (personal_sign / EIP-191, ERC-1271 via wallet SDK), constructing SIWE/SIWS messages, chain IDs (CAIP-2), and assembling/sending a signed header. Those are specific, crypto/blockchain signing operations (wallet usage and signing) rather than generic tooling, so this is direct crypto-related execution capability.