pay-with-app

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly parses and acts on arbitrary HTTP 402 challenge JSON returned by third‑party merchant/facilitator (see "Phase 0, Parse the 402 Challenge" in SKILL.md which extracts accepts[].resource, extra.name/version, asset, payTo) and also consumes Uniswap Trading API quote responses, both untrusted external inputs that directly determine funding, signing, and retry actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill conditionally runs "npm install viem" at runtime (into ~/.cache/uniswap-pay-with-app/signer/) which fetches and installs remote code from the npm registry (e.g. https://registry.npmjs.org/viem) and then executes Node code to perform signing, so this is a required runtime fetch that executes remote code (npm install viem).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to perform on-chain payments and fund transfers: it targets OKX's Agent Payments Protocol (APP) to satisfy HTTP 402 payment challenges, requires a PRIVATE_KEY for signing, constructs and signs EIP-3009 TransferWithAuthorization messages, and submits the signed X-PAYMENT payload to effect settlement. It also integrates with the Uniswap Trading API to route/bridge and swap tokens (funding flows, approvals, Permit2, Universal Router), checks balances via RPC, and instructs the agent to perform or gate multiple distinct transactions (approvals, swaps, bridges, signing). These are specific crypto/payment APIs and transaction-execution steps (wallet signing, token swaps, bridging, submitting payment headers) intended to move funds, not generic tooling. Therefore this skill grants Direct Financial Execution Authority.