Whispers of Wealth: Red-Teaming Google's Agent Payments Protocol via Prompt Injection

Large language model (LLM) based agents are increasingly used to automate financial transactions, yet their reliance on contextual reasoning exposes payment systems to prompt-driven manipulation. The Agent Payments Protocol (AP2) aims to secure agent-led purchases through cryptographically verifiable mandates, but its practical robustness remains underexplored. In this work, we perform an AI red-teaming evaluation of AP2 and identify vulnerabilities arising from indirect and direct prompt injection. We introduce two attack techniques, the Branded Whisper Attack and the Vault Whisper Attack which manipulate product ranking and extract sensitive user data. Using a functional AP2 based shopping agent built with Gemini-2.5-Flash and the Google ADK framework, we experimentally validate that simple adversarial prompts can reliably subvert agent behavior. Our findings reveal critical weaknesses in current agentic payment architectures and highlight the need for stronger isolation and defensive safeguards in LLM-mediated financial systems.

Key Contributions

• Introduces the Branded Whisper Attack, a prompt injection technique that manipulates product ranking within an AP2-based shopping agent to favor adversary-chosen items.
• Introduces the Vault Whisper Attack, a prompt injection technique that extracts sensitive user payment data from the agent's context.
• Experimentally validates both attacks on a functional AP2 prototype (Gemini-2.5-Flash + Google ADK), demonstrating that AP2's cryptographic mandates do not prevent prompt-level manipulation of agent reasoning.

🛡️ Threat Analysis

Details

Similar Papers