gate-pay-x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly calls external merchant endpoints and a remote discovery MCP (e.g., the discoveryResource catalog and merchant HTTP URLs described in "GatePay merchant discovery & agent orchestration" and the "Merchant url / method / body" / workflow sections), and it ingests and acts on those third‑party responses (including 402/quote data) to drive tool calls and payments, so untrusted third‑party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running a remote MCP package via "npx -y gatepay-local-mcp" (executes fetched code at runtime) and may call a remote discovery MCP URL such as "http://dev.halftrust.xyz/pay-mcp-server/mcp" to fetch merchant resources that directly influence agent behavior, so these are runtime external dependencies that can execute code or control prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for payment execution. It names payment- and wallet-specific tools (e.g. x402_place_order, x402_sign_payment, x402_create_signature, x402_submit_payment, x402_centralized_payment, x402_quick_wallet_auth, plugin/quick_wallet/local_private_key rails) and describes signing, submitting, and centralized settlement flows. These are specific payment gateway / wallet operations (not generic browser or HTTP tooling) that can move funds or create payment signatures, so it grants direct financial execution capability.