a2a-wallet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and interprets data from arbitrary agent URLs (e.g., "a2a-wallet a2a card https://my-agent.example.com" and sending/streaming to https://my-agent.example.com), and the agent-provided card/metadata and runtime replies (like x402 PaymentRequirements and task.status) are parsed and directly drive signing, payment submission, and auth flows, so untrusted third-party content can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The INSTALL.md contains a direct install command—curl -fsSL https://raw.githubusercontent.com/planetarium/a2a-x402-wallet/main/scripts/install.sh | sh—which fetches and executes remote code during setup and the CLI installed by that script is required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet CLI (a2a-wallet) designed to perform on-chain payment flows: it includes an x402 sign command to sign payment requirements, detailed payment flow steps that produce and submit payment payloads, wallet balance viewing, and wallet auth (SIWE). These are specific blockchain/cryptocurrency payment operations (signing transactions/payments and submitting them), not generic tooling, so it grants direct financial execution capability.