stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill includes examples that embed secret API keys and webhook secrets directly into curl commands and code (e.g., Authorization headers, constructor args, endpointSecret), which encourages the LLM to output secrets verbatim and therefore poses exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated Stripe payment integration guide and includes explicit, actionable APIs and examples for moving money: creating PaymentIntents, charges, transfers, managing connected accounts, processing payouts, and authentication with secret API keys. It specifically documents payment gateways and operations (Stripe Connect, payouts, transfers, charge types), so it provides direct financial execution capability rather than a generic tool.