x402

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill requires the agent (client/facilitator) to parse and act on untrusted, server-provided data such as PaymentRequired.resource.url and extensions.bazaar (and discovery API results) — e.g., "Clients are expected to echo the bazaar extension from PaymentRequired into their PaymentPayload" and facilitators "must validate info against schema before cataloging" — which means arbitrary third-party endpoint specs and metadata are ingested and can materially change request/behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments protocol with built-in, scheme-specific settlement operations. It defines a Facilitator API with POST /settle that "Settles payment on-chain," describes calling EVM contract methods (EIP-3009 transferWithAuthorization), Solana TransferChecked flows, transaction hashes, payer/payTo addresses, signer lists, and verification/settlement logic. These are concrete, specific blockchain payment/settlement operations (signing, broadcasting, and settling transactions), not generic tooling. Therefore it provides direct financial execution capability.