x402-payments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's agentic patterns (see references/agentic-patterns.md — e.g., the "Bazaar Discovery Agent" and MCP/Anthropic tool-use examples) fetch discovery data from the public facilitator (https://x402.org/facilitator/discovery/resources) and then call arbitrary service.resource URLs and feed their JSON/text responses into agent tools/messages, which clearly ingests untrusted third-party content that could carry indirect prompt injections.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to execute cryptocurrency payments. It defines end-to-end payment flows (client creates signed payment payloads, server verifies via facilitator and calls settle), references on-chain schemes (EVM EIP-3009 TransferWithAuthorization, Solana SPL transfers), shows code that uses a private key signer (privateKeyToAccount, registerExactEvmScheme(client, { signer })) and SDK calls that produce tx hashes and settlement calls. It also references facilitators, mainnet/testnet networks, CDP API keys, and payment middleware for charging USDC per request. These are concrete, purpose-built APIs/functions to move money (stablecoin transfers and settlement), not generic tooling.