agent-agentic-payments
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted external data that can influence high-stakes financial tools.\n
- Ingestion points: Untrusted data enters the agent context via the
merchant,description, andmetadataparameters in themcp__agentic-payments__authorize_paymenttool call, typically sourced from external commerce websites.\n - Boundary markers: The skill instructions provide no delimiters (e.g., XML tags or triple quotes) or explicit system-level instructions to ignore commands embedded within transaction details.\n
- Capability inventory: The skill enables sensitive financial actions, specifically authorizing payments (
mcp__agentic-payments__authorize_payment) and performing cryptographic signing (mcp__agentic-payments__sign_mandate).\n - Sanitization: The documentation does not describe any validation, escaping, or sanitization mechanisms for external input before it is interpolated into tool calls.\n- NO_CODE (SAFE): This skill contains only a markdown definition (
SKILL.md) and no executable script files (e.g., .py or .js), which eliminates the risk of direct malicious code execution from the skill package itself.\n- CREDENTIALS_UNSAFE (SAFE): The example formcp__agentic-payments__sign_mandateuses a placeholder (ed25519_private_key). No actual hardcoded secrets were detected; however, the architectural choice to pass raw cryptographic keys through tool arguments is a security best-practice violation, as it exposes sensitive keys to model logs and the platform provider's context.
Audit Metadata