x402-payments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's agentic patterns and examples (notably references/agentic-patterns.md and SKILL.md) explicitly fetch and act on public facilitator discovery and arbitrary service URLs (e.g., calls to https://x402.org/facilitator, discoverServices -> service.resource, and wrapFetchWithPayment to external endpoints), causing the agent to ingest untrusted third-party content that can directly influence which tools/requests and payments it performs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to execute cryptocurrency payments. It defines end-to-end payment flows (client creates signed payment payloads, server verifies via facilitator and calls settle), references on-chain schemes (EVM EIP-3009 TransferWithAuthorization, Solana SPL transfers), shows code that uses a private key signer (privateKeyToAccount, registerExactEvmScheme(client, { signer })) and SDK calls that produce tx hashes and settlement calls. It also references facilitators, mainnet/testnet networks, CDP API keys, and payment middleware for charging USDC per request. These are concrete, purpose-built APIs/functions to move money (stablecoin transfers and settlement), not generic tooling.