Scan Report
5 /100
pop-pay
Payment guardrail for AI agents — injects card via CDP, never exposes it to the agent context. Semantic spend policy + prompt-injection resistance.
This is a documentation-only skill (SKILL.md + LICENSE + metadata). No executable code, scripts, or dependencies are present. The security design described is thoughtful and explicitly addresses prompt injection resistance and card isolation.
Safe to install
No immediate risk. The skill describes a well-architected payment guardrail with CDP-based card injection that never exposes card numbers to the agent context. However, actual implementation code should be audited before production use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access described or implemented |
| Network | NONE | NONE | — | No network calls described in SKILL.md; webhook is user-supplied |
| Shell | NONE | NONE | — | No shell execution in skill definition |
| Environment | NONE | NONE | — | Environment vars are user-configured policy settings, not credential access |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation described |
| Clipboard | NONE | NONE | — | No clipboard access described |
| Browser | NONE | NONE | — | CDP injection is described but handled by an external 'pop-pay' binary, not the … |
| Database | NONE | NONE | — | No database access described or implemented |
4 findings
Medium External URL 外部 URL
https://hooks.slack.com/your-hook-here SKILL.md:54 Medium External URL 外部 URL
https://hooks.slack.com/... SKILL.md:165 Medium External URL 外部 URL
https://www.amazon.com/checkout/payment SKILL.md:177 Medium External URL 外部 URL
https://www.amazon.com/checkout/address SKILL.md:183 File Tree
3 files · 7.5 KB · 229 lines Markdown 1f · 202L
Text 1f · 21L
JSON 1f · 6L
├─
_meta.json
JSON
├─
LICENSE.txt
Text
└─
SKILL.md
Markdown
Security Positives
✓ Security model explicitly states card number is never placed in the agent's context window
✓ CDP injection runs in a separate process — a prompt injection attack cannot steal the card
✓ Semantic guardrail evaluates SHOULD vs CAN, not just budget availability
✓ Prompt injection scan (page_snapshot) runs before any payment operation
✓ No credential harvesting or environment variable iteration observed
✓ No base64, eval, or obfuscated code patterns
✓ No remote script execution (curl|bash, wget|sh)
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ Open source under MIT license with auditable GitHub repository
✓ Clear documentation with no hidden functionality or shadow features