x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The CLI's probe-endpoint and execute-endpoint commands explicitly accept arbitrary HTTPS --url values (see execute-endpoint/probe-endpoint in x402.ts and AGENT.md) and fetch and parse those remote responses (via probeEndpoint/createApiClient/createPlainClient), using returned data/payment headers to decide whether to pay and execute—thus untrusted third-party content can directly influence the agent's actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes built-in crypto payment and transaction functionality. It describes automatic payment flows using a configured wallet, an "execute-endpoint" command with a --auto-approve flag that will pay for paid API endpoints, and a "send-inbox-message" command that sends sponsored sBTC transactions and returns a txid/amount. The scaffold commands let you configure payment amounts, tokenType (STX, sBTC, USDCx) and recipient addresses. These are specific, purpose-built capabilities to sign/send crypto payments and collect payments, not generic HTTP or automation tools—so it provides direct financial execution authority.