fd-agentic-commerce

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask the user for an ACP merchant API key and to include it verbatim in Authorization: Bearer headers / curl commands, which requires the LLM to handle and output secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly fetches and parses untrusted merchant endpoints (e.g., /.well-known/acp.json and /.well-known/ucp discovery docs, the ACP product-feed RSS/XML, and checkout-session responses) from arbitrary merchant URLs supplied at runtime and uses those responses to choose protocols, select payment requirements, and drive wallet authorization/complete actions—so third-party content can materially influence the agent's decisions and tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to complete purchases and execute payments. It integrates with a payment handler (xyz.fd.prism_payment), drives checkout session create/update/complete flows, and invokes wallet-based payment authorization (fdx wallet authorizePayment or the MCP authorizePayment tool) to obtain signed payment payloads/EIP-3009 authorizations. It then posts those authorization payloads to merchant /complete endpoints (UCP/ACP) to finalize payment and returns on-chain tx hashes. These are specific, purpose-built payment flows and wallet signing steps (not generic HTTP or browsing), so the skill grants direct financial execution authority.