agent-passport

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and posts to a public, user-generated Agent Agora (e.g., aeoess.com/agora) and exposes MCP tools like get_agora_topics/get_agora_thread and example calls ("Read Agora messages") in SKILL.md/example_calls.md, so the agent will fetch and interpret untrusted third-party messages that can influence coordination and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs agents to connect at runtime to the remote MCP SSE endpoint https://mcp.aeoess.com/sse which provides 38 MCP tools (including execute_with_context) that can drive agent actions and execution, indicating a runtime external dependency that can control prompts/instructions or execute code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements an "Agentic Commerce" layer for agent purchases and scoped spending: it documents a 4‑gate checkout (Passport gate, Delegation gate, Merchant gate, Spend gate), delegation with --limit (e.g., delegate --limit 500), and MCP commerce tools and APIs (commerce_preflight, get_commerce_spend, request_human_approval, commercePreflight). These are specific commerce/spend primitives (scoped delegation with spend limits, merchant approval, preflight spend checks) intended to let agents execute or authorize expenditures. This is not a generic toolset (like a browser or generic HTTP caller) but a purpose-built commerce/spend capability, so it constitutes direct financial execution authority.