Skills
skills/juparave/dotfiles/stripe-integration/Snyk

stripe-integration

Fail

Audited by Snyk on May 6, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt includes hardcoded API keys and webhook secrets in code examples (e.g., stripe.api_key = "sk_test_..." and endpoint_secret = 'whsec_...'), which encourages embedding secret values verbatim in generated outputs and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe payment integration and contains concrete API calls and functions that create and manage payments and billing: checkout sessions, PaymentIntents (confirming payments), subscriptions, customer payment methods, refunds, dispute management, and webhook handlers. These are direct payment gateway operations (Stripe) capable of moving money and managing financial transactions, so it grants Direct Financial Execution authority.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
May 6, 2026, 06:03 PM
Issues
2