x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md shows agents performing HTTP discovery and fetching arbitrary external endpoints (e.g., the "Discovery Pattern" fetch to https://agent-service.com/.well-known/x402 and the agentFetch calls to external services like https://summarizer.agent/api/summarize), meaning the agent ingests untrusted third-party responses that directly influence service selection, payment, and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime example instantiates an HTTPFacilitatorClient pointing at https://api.cdp.coinbase.com/platform/v2/x402 and relies on that facilitator at runtime to /verify and /settle payments (it in turn submits transferWithAuthorization transactions on-chain), so this external URL is a required runtime dependency that causes remote code execution.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes — this skill explicitly implements cryptocurrency payment execution. It describes EIP-3009 transferWithAuthorization, client libraries that sign authorizations with private keys, facilitator endpoints (/verify, /settle) that validate and then call transferWithAuthorization to move USDC on-chain, and even patterns for autonomous agent-to-agent payments using agent private keys. These are specific crypto/ blockchain payment primitives (wallet signing + on-chain settlement), not generic HTTP or API tooling, and thus grant direct financial execution authority.