fluxa agentic checkout

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly collects and stores sensitive payment and identity data (card numbers, CVC, resident ID) and includes examples/flags that may place those secrets into files or command-line arguments (e.g., --resident-id-number or JSON with card_number), which requires the agent to handle secrets and could lead to verbatim exposure if it echoes or embeds them in outputs or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and navigates arbitrary public product/checkout URLs (SKILL.md "accepts arbitrary entry links" and scripts/checkout_playwright_handoff.py uses --entry-url), then reads page and iframe content (e.g., page.locator("body").inner_text(), iframe URLs, etc.) with Playwright and uses those page contents to decide autofill, submits, or human handoff, so untrusted third‑party web content can materially influence agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform purchases: it collects and stores full payment card details (card_number, exp, cvc) in a profile JSON, uses Playwright automation to autofill hosted payment/card fields, and exposes a distinct "execute" mode that performs the final checkout attempt (examples show running checkout_playwright_handoff.py --mode execute with a secrets-path to real_card.json). It also records successful paid orders in a local ledger (orderRecorded, orderId, orderStorageDir). This is not generic browser tooling — its primary, explicit purpose is to submit payment transactions on behalf of users. Therefore it grants direct financial execution capability.