flexbe-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill shows and uses an api_key passed directly in URLs and code examples (e.g., ?api_key=XXXXX, api_key: 'YOUR_API_KEY'), which encourages embedding secret values verbatim into generated commands or code and therefore risks exfiltration.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The Flexbe API skill explicitly covers "processing payments", exposes payment-related webhook events (pay), and documents payment object fields (pay{id,summ,status... ,pay_link}) and payment status codes. The changeLead method explicitly accepts a pay{summ, status (0-3), desc} parameter, which lets callers update payment amounts and payment status (including marking as Paid). These are payment-specific operations (not generic HTTP or browser automation) and constitute direct financial execution/management within the platform.