stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit hardcoded API keys and webhook secrets (e.g., stripe.api_key = "sk_test_...", pk_test_..., endpoint_secret = "whsec_...") and examples that embed secrets in code, which encourages the LLM to handle or output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly designed to perform payment operations via Stripe (a payment gateway). It contains concrete API calls and functions to create checkout sessions, PaymentIntents, subscriptions, customer billing, refunds, dispute handling, and webhook handling (e.g., stripe.checkout.Session.create, stripe.PaymentIntent.create/confirm, stripe.Subscription.create, stripe.Refund.create). These are specific, purpose-built financial actions to move or refund money and manage billing — therefore it grants direct financial execution authority.