a2a-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and interprets content from arbitrary agent URLs (e.g., "a2a-wallet a2a card https://my-agent.example.com" and the x402 payment flow described in SKILL.md), and it consumes untrusted agent responses/metadata and http(s) file URIs that are used to decide actions like signing and submitting payments, which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The INSTALL.md contains a direct fetch-and-execute instruction that runs a remote install script (curl -fsSL https://raw.githubusercontent.com/planetarium/a2a-x402-wallet/main/scripts/install.sh | sh), which downloads and executes remote code as part of setup for the CLI and thus is a high-confidence risky external dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly implements cryptocurrency wallet management and payment execution: it supports local and custodial wallets (create/import/use/connect), shows balances, requests testnet USDC faucet, provides an x402 "x402 sign" command to sign PaymentRequirements, and documents the exact flow to submit a payment (sign then a2a-wallet a2a send with task-id and metadata). These are specific crypto/payment APIs and signing operations (not generic tooling), so the skill grants direct financial execution capability.