The Agent Interoperability Bridge

Shell command execution function detected

system (

The MCPBridge's `handle_tools_call` method executes GreenHelix tools (`self.client.execute(gh_tool_name, arguments)`) where `gh_tool_name` is derived from external input. While there's a check against `_tool_schemas`, the `exposed_tools` list used to populate `_tool_schemas` is configurable. If this list is not strictly whitelisted to safe GreenHelix tools, an attacker could potentially execute arbitrary internal GreenHelix tools via the MCP interface.

self.client.execute(gh_tool_name, arguments) in MCPBridge.handle_tools_call

Both `A2ABridge.publish_agent_card` and `EventBridge.register_external_webhook` allow registering webhooks with URLs that can be controlled by external input (`self.base_url` or `url` parameter). This could enable an attacker to register webhooks pointing to arbitrary internal or external endpoints, leading to Server-Side Request Forgery (SSRF) or data exfiltration of GreenHelix events to attacker-controlled servers.

client.execute("register_webhook", {"url": f"{self.base_url}/a2a/tasks/webhook"...}) in A2ABridge.publish_agent_card; self.client.execute("register_webhook", {"url": url...}) in EventBridge.register_external_webhook; requests.post(webhook["url"], ...) in EventBridge.forward_event

The skill metadata declares `STRIPE_API_KEY` as a credential, but the code snippets for `AP2UCPBridge`, `PayPalAgentReadyBridge`, and `OpenAIACPBridge` utilize `ap2_api_key`, `braintree_api_key`, `braintree_api_secret`, and `openai_acp_api_key` respectively, which are not listed in the skill's `credentials` metadata. This oversight could lead to these sensitive keys being handled insecurely or not being properly managed by the platform.

credentials: [WALLET_ADDRESS, AGENT_SIGNING_KEY, STRIPE_API_KEY] in metadata; self.ap2_api_key in AP2UCPBridge; self.braintree_api_key, self.braintree_api_secret in PayPalAgentReadyBridge; self.openai_acp_api_key in OpenAIACPBridge

The `X402Bridge` relies on a configurable `facilitator_url` to verify payment proofs. While this is inherent to the x402 protocol, if the configured facilitator is compromised or malicious, it could lead to fraudulent payment approvals, allowing services to be consumed without actual payment. The security of the bridge is directly tied to the trustworthiness of this external endpoint.

requests.post(f"{self.facilitator_url}/verify", ...) in X402Bridge.validate_payment_proof

The `VisaTAPBridge` uses a `tap_certificate_path` to access a certificate file for authorization. While the path itself is not a secret, the certificate file is sensitive. Improper file permissions or storage of this certificate could lead to its compromise, potentially enabling unauthorized transactions.

cert=self.tap_certificate_path in VisaTAPBridge.create_tap_authorization

The skill manifest declares credential fields (WALLET_ADDRESS, AGENT_SIGNING_KEY, STRIPE_API_KEY) in its metadata. While the body disclaims these are user-supplied, the credential field declarations in the manifest header could cause agent runtimes to automatically inject or expose secrets from the environment into skill execution context, and the code examples include placeholder patterns like 'your-api-key', 'whsec_...', 'your-braintree-api-secret' that normalise embedding credentials directly in code.

credentials: [WALLET_ADDRESS, AGENT_SIGNING_KEY, STRIPE_API_KEY]

The skill provides production-ready code for autonomously executing real financial transactions across nine payment protocols (Visa TAP, PayPal/Braintree, Stripe ACP, x402 crypto, Google AP2) without explicit per-transaction human approval gates. The PaymentRouter class selects and executes payment paths automatically. The 'execute_routed_payment' method and all bridge payment handlers are designed for fully autonomous operation.

def execute_routed_payment(self, amount: float, payer_agent_id: str, payee_agent_id: str, payer_protocols: list, payee_protocols: list, description: str = '', prefer_speed: bool = False) -> dict:

The IdentityMapper and EventBridge classes register and resolve agent identities across nine external ecosystems, enabling autonomous spawning of cross-protocol interactions. The A2A bridge publishes an Agent Card that makes the agent discoverable and callable by arbitrary external agents. The EventBridge can forward events to attacker-controlled webhook URLs registered via 'register_external_webhook'.

def register_external_webhook(self, protocol: str, url: str, events: list) -> dict: ... self._webhook_registry[protocol].append(registration)

Multiple bridge classes accept external URLs as constructor parameters or in request payloads and make outbound HTTP requests to them without URL validation or allowlisting. The X402Bridge sends requests to an arbitrary 'facilitator_url', VisaTAPBridge to 'acquiring_bank_endpoint', AP2UCPBridge to 'ap2_base_url', and EventBridge POSTs to arbitrary webhook URLs received from external agents. This enables SSRF attacks against internal infrastructure.

verify_resp = requests.post(f"{self.facilitator_url}/verify", ...) ... resp = requests.post(webhook['url'], json=translated, timeout=10, ...)

The VisaTAPBridge accepts a filesystem path to a TLS client certificate ('tap_certificate_path') and uses it with requests.post(..., cert=...). This pattern in a skill context could expose private key material if the path is attacker-influenced or if the certificate file is readable by the agent process. The example hardcodes '/etc/ssl/tap/agent-cert.pem' suggesting a well-known predictable path.

tap_certificate_path: str ... auth_response = requests.post(f"{self.acquiring_bank_endpoint}/authorize", json=auth_request, cert=self.tap_certificate_path, timeout=15)

The EventBridge.forward_event() method sends full event payloads (including transaction amounts, agent IDs, authorization codes, payment IDs, and payer details) to arbitrary webhook URLs registered by callers. An attacker who can call register_external_webhook with a controlled URL can receive a continuous stream of sensitive financial and identity data from all nine protocol bridges.

resp = requests.post(webhook['url'], json=translated, timeout=10, headers={'X-Source-Protocol': source_protocol})

The skill is declared with 'executable: false' and 'install: none', yet the content contains a complete production deployment chapter, a full initialization block, Flask webhook handlers, and explicit instructions for running services in production. The metadata claims non-executability while the content is explicitly production-oriented, creating a mismatch that could mislead security review.

executable: false
install: none ... ### Putting It All Together
Here is the initialization code that wires up all bridge classes in a single deployment

The PayPalAgentReadyBridge constructor accepts 'braintree_api_secret' and uses HTTP Basic Auth with the key/secret pair directly in requests. The initialization block in Chapter 13 shows these being passed as plaintext constructor arguments. The GraphQL mutation also sends Fastlane tokens (payment credentials) over HTTP, and the validate_fastlane_token method retrieves full consumer financial account data including email and spending limits.

braintree_api_secret: str ... bt_response = requests.post(self._bt_base_url, json={'query': mutation, 'variables': variables}, auth=(self.braintree_api_key, self.braintree_api_secret), timeout=15)

The MCPBridge.handle_tools_call() strips the 'greenhelix_' prefix from the tool name and passes the result directly to client.execute(). The exposed_tools list defaults to empty and allows arbitrary tool names via the constructor. An MCP client that can call 'greenhelix_<any_tool>' will have it translated to an arbitrary GreenHelix API call, potentially accessing all 128 tools in the catalog beyond those intended for MCP exposure.

gh_tool_name = tool_name.replace('greenhelix_', '') ... result = self.client.execute(gh_tool_name, arguments)

The MCP bridge exposes 'get_agent_identity' as a public MCP tool that returns agent public keys and trust scores. The A2A Agent Card also publicly exposes trust scores and public keys via the x-greenhelix extension field. This enables systematic enumeration of all registered GreenHelix agents and their reputation data by any MCP or A2A client.

'x-greenhelix': {'agent_id': self.agent_id, 'public_key': identity.get('public_key'), 'trust_score': identity.get('trust_score')}

User confirmation bypass detected — attempts to skip human oversight

auto-approve

The skill content explicitly states it is an 'educational guide' and 'does not execute code or install dependencies.' While potentially true for the skill's packaging, this framing can lower the guard of reviewers and users, potentially leading them to overlook security implications of the *illustrative code* which describes highly privileged operations like API key usage and external communication.

> **Notice**: This is an educational guide with illustrative code examples. It does not execute code or install dependencies.