Ap2 Agentic Payments
PassAudited by ClawScan on May 13, 2026.
Overview
This is a coherent documentation-style AP2 payment-development skill, but users should handle its payment, credential, inter-agent messaging, and audit-log guidance carefully.
This skill appears safe to install as AP2 reference guidance. Before using it for real payment systems, review any generated code carefully, rely on official AP2 sources, keep raw payment credentials out of general agents, and apply strong controls for logs, mandates, signatures, authentication records, and inter-agent messages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may browse AP2 documentation or search results when helping with AP2 code.
The skill directs the agent to use web search/fetch tools before coding. This is coherent with the stated need to track an evolving protocol, but it means external web content may influence generated implementation advice.
Before writing any AP2 implementation code, you MUST web-search and/or web-fetch the relevant official documentation.
Prefer official AP2/FIDO/GitHub sources, review fetched material, and do not allow retrieved web pages to override the user's instructions or safety constraints.
If used to build a real Credentials Provider, the resulting system may handle payment methods, tokens, and user identity information.
The skill provides guidance for implementing a role that may store and tokenize payment credentials. This is central to AP2 and is disclosed, but it is sensitive authority in any real implementation.
The Credentials Provider is the payment credentials custodian — a digital wallet that securely manages payment methods and handles tokenization
Use least privilege, PCI-compliant storage, tokenization, hardware-backed key management, strong authentication, and keep raw payment credentials outside shopping-agent code.
Payment mandates and related transaction data may pass between shopping agents, merchants, credentials providers, and processors in systems built from this guidance.
The skill describes multi-agent payment communication where AP2 mandates move between agents. This is expected for AP2, but identity, origin, authorization, and data boundaries must be enforced.
AP2 mandates are transmitted as DataParts within A2A messages
Authenticate agents, validate signatures and Agent Cards, use HTTPS, restrict what each role can see, and avoid sending raw credentials through general agent channels.
A real implementation may retain detailed payment, identity, risk, and authentication history.
The skill recommends retaining payment and authentication evidence for dispute handling. This is purpose-aligned, but it can create sensitive persistent records if implemented without retention, redaction, encryption, and access controls.
Store for the full retention period ... All signed mandates ... Agent-to-agent message logs ... Challenge records ... Payment receipts ... Risk signal snapshots ... User session authentication records
Define a clear retention policy, encrypt logs and mandates, redact unnecessary sensitive fields, limit access, and avoid raw HTTP/body logging in production unless strictly controlled.