money-product

Fail

Audited by Snyk on May 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill explicitly asks the user to provide API keys/credentials (e.g., GEMINI_API_KEY) and instructs the agent to "save preference" and provision integrations (configure env vars, Stripe, webhooks), which means the agent will receive and likely persist or embed secret values unless additional handling rules are enforced, creating a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly provisions and integrates payment processing: it names Stripe as the payment provider, requires "Stripe/payment integration", and defines concrete payment functionality (Stripe Checkout for subscriptions/one-time payments, webhook handlers for payment events, user plan/subscription tracking, upgrade/downgrade flows). It also references monitoring Stripe dashboard for failed charges and asks the user to provide API keys/credentials. These are specific payment gateway integrations and transaction-management capabilities (not generic browser automation or HTTP calls), so the skill grants direct financial execution authority.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 03:34 PM
Issues
2
Security Audit — snyk — money-product