stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds literal API and webhook secret placeholders (e.g., "sk_test_...", "pk_test_...", "whsec_...") and shows patterns that place keys and client_secret values directly in generated code/outputs, which requires the LLM to handle or output secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to integrate with Stripe (a payment gateway) and includes concrete API calls that create payments, subscriptions, refunds, and manage customer payment methods (e.g., stripe.checkout.Session.create, stripe.PaymentIntent.create/confirm, stripe.Subscription.create, stripe.Refund.create, stripe.PaymentMethod.attach). These are direct financial execution operations — not generic tooling — and can initiate or modify money movement and billing. Therefore it grants direct financial execution authority.