agirails-agent-payments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required onboarding and code-generation steps explicitly instruct the agent to call arbitrary HTTP provider endpoints (x402) — see Step 5 x402 example and the "Adapter Routing" section showing client.basic.pay({ to: 'https://api.provider.com/service' }) and registering X402Adapter — which causes the agent to fetch and act on untrusted third-party responses that can influence payments/releases.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs runtimes to fetch and install external skill code at runtime — e.g., curl -sL https://market.agirails.io/skills/claude-code/skill.md (writes a Claude skill file) and git clone https://github.com/agirails/openclaw-skill.git (clones a runtime skill repo) — which directly supplies instructions/code that the agent will execute, so these URLs are runtime dependencies that can control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment SDK/onboarding for an on-chain agent economy that mints, transfers, locks, and settles USDC. It includes concrete APIs and commands that perform payments and escrow operations (e.g., ACTPClient.create(), client.pay(), client.basic.pay(), request() that locks USDC, client.standard.releaseEscrow(transaction.id), mintTokens(), X402Adapter with a transferFn that calls ERC-20 transfer, CLI commands like actp pay / actp tx settle, and explicit contract addresses and key management). This is not a generic tool — its primary and explicit purpose is to move and settle funds on-chain (USDC) including wallet/key handling, escrow release, and adapter transfer functions.