x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime flow explicitly ingests and acts on untrusted, public third-party content—e.g., reading PaymentRequired objects from arbitrary HTTP servers via the PAYMENT-REQUIRED/PAYMENT-SIGNATURE headers (references/transports.md and SKILL.md), processing MCP/A2A structuredContent containing PaymentRequired (references/transports.md), and cataloging/using Bazaar discovery info returned by facilitators (references/extensions.md and references/go-sdk.md), any of which an external service could craft to influence the agent's subsequent tool calls and actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments protocol for on-chain crypto transactions. It provides SDKs and concrete APIs for signing payments (privateKeyToAccount, registerExactEvmScheme/registerExactSvmScheme), creating facilitators that "settle transactions on-chain", and client/server flows that automatically send signed transactions and call facilitator settle endpoints. It references EVM (EIP-3009, Permit2), Solana (SPL TransferChecked), Aptos transfers, and shows code examples that perform wallet signing and settlement. This is specifically designed to move money on-chain (crypto/blockchain wallet signing and settlement), so it meets the Direct Financial Execution criteria.