openpay-mexico
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill defines functions that process untrusted data (e.g., payment descriptions, order IDs) and send them to an external payment API. While it uses JSON serialization, it lacks explicit sanitization for these fields, creating a surface where malicious input could influence API interactions. \n
- Ingestion points: Arguments to createCardCharge, createSpeiCharge, and createOxxoCharge (specifically description and orderId). \n
- Boundary markers: Absent in the provided code snippets. \n
- Capability inventory: fetch calls to api.openpay.mx using a PRIVATE_KEY for authentication. \n
- Sanitization: None detected for the input strings; relies on standard JSON encoding. \n- Credential Handling (LOW): The skill requires several high-privilege API keys (OPENPAY_PRIVATE_KEY, OPENPAY_WEBHOOK_SECRET). While it correctly advises using environment variables, the agent's involvement in handling these secrets increases the risk of accidental exposure if the agent is compromised or misconfigured. \n- Unverifiable Code (LOW): The skill explicitly discourages the official openpay SDK in favor of custom code. While the provided code is transparent and follows API documentation, bypassing managed packages shifts the burden of security maintenance entirely to the implementation code.
Audit Metadata