x402-payment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill issues HTTP requests to arbitrary external endpoints (the --url / entrypoint invocation and manifest fetch like https:///.well-known/agent.json and /entrypoints), parses JSON/text and a base64 "payment-response" header, and uses that returned data to drive payment negotiation and on-chain actions, so untrusted third-party content can influence tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements on-chain payment operations: it negotiates, signs, and executes ERC20/TRC20 token payments (USDT/USDC/USDD) across EVM and TRON networks via the x402_invoke tool. It requires wallet private keys/mnemonics, supports on-chain transfers (e.g., GasFree activation which "transfers activateFee + transferFee + 1 token" and polls for confirmations), and performs approval and token transfer transactions (including "infinite approval"). These are specific, purpose-built capabilities to move funds on-chain, not generic tooling.