x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill’s docs show the agent ingesting and acting on arbitrary public resource/payment metadata (e.g., Bazaar discovery and facilitator cataloging in references/extensions.md and the WithBazaar facilitator usage in references/go-sdk.md, plus HTTP/MCP/A2A flows in references/transports.md) — servers/facilitators publish PaymentRequired/PaymentPayload from external resources that the client/facilitator must parse and use to decide payments and follow-up actions, exposing the agent to untrusted third‑party content that can influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill (x402) is explicitly designed to perform on-chain crypto payments: it provides SDKs and code for clients to sign payments (e.g., privateKeyToAccount, registerExactEvmScheme with a signer), facilitator APIs to verify and settle transactions, support for multiple blockchains (EVM, Solana, Stellar, Aptos), and examples where requests are automatically paid on HTTP 402 responses. It directly enables sending/settling crypto transactions and agent-to-agent payments, so it grants direct financial execution capability.