x402-payment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's x402_invoke tool explicitly fetches arbitrary third-party URLs (the --url target and agent-discovery endpoints like /.well-known/agent.json and /entrypoints) and parses their JSON/text/binary responses as part of the invoke/payment workflow (including 402 negotiation), meaning untrusted remote content can directly influence tool behavior and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime HTTP requests to whatever endpoint is passed via --url (i.e., the external agent endpoint supplied at invocation) and directly returns/uses the response as the agent invocation result, so a remote URL provided at runtime (the --url parameter / external agent endpoint) can control prompts/instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements crypto payment execution: it requires private keys (EVM/TRON), provides an x402_invoke tool/script that "handles the negotiation, signing, and execution of the payment", lists token contract addresses, networks, and automatic approval/transaction behavior (including "infinite approval" and gas requirements). This is a specific wallet/transaction signing and token-transfer capability (crypto/blockchain payments), so it is directly designed to move money.