money-product
Fail
Audited by Snyk on May 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill explicitly asks the user to provide API keys/credentials (e.g., GEMINI_API_KEY) and instructs the agent to "save preference" and provision integrations (configure env vars, Stripe, webhooks), which means the agent will receive and likely persist or embed secret values unless additional handling rules are enforced, creating a high exfiltration risk.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly provisions and integrates payment processing: it names Stripe as the payment provider, requires "Stripe/payment integration", and defines concrete payment functionality (Stripe Checkout for subscriptions/one-time payments, webhook handlers for payment events, user plan/subscription tracking, upgrade/downgrade flows). It also references monitoring Stripe dashboard for failed charges and asks the user to provide API keys/credentials. These are specific payment gateway integrations and transaction-management capabilities (not generic browser automation or HTTP calls), so the skill grants direct financial execution authority.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata