pp-stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill tells users/agents to authenticate by exporting STRIPE_SECRET_KEY or running stripe-pp-cli auth set-token <key> (i.e., passing/persisting an API key on the command line), which encourages embedding secret values verbatim in commands and output and therefore creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires installing and may invoke remote installers at runtime — e.g., "go install github.com/mvanhorn/printing-press-library/library/payments/stripe/cmd/stripe-pp-cli@latest" (and alternately "npx -y @mvanhorn/printing-press install stripe --cli-only"), which fetch and execute remote code and are required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a Stripe-specific CLI (stripe-pp-cli) exposing the full Stripe API surface plus agent-friendly plumbing. It explicitly includes mutating, money-moving endpoints and commands such as creating payouts (payouts post), sending transfers to connected accounts (transfers post), creating PaymentIntents/charges (payment-intents post, charges post), issuing refunds (refunds post), top-ups (topups post), treasury outbound payments/transfers (treasury post-outbound-payments, post-outbound-transfers), and similar endpoints. The docs also note live-mode writes can be enabled (via --confirm-live or STRIPE_CONFIRM_LIVE) and that this v1 does not enforce a live-mode write guard, and an --agent mode (non-interactive, --yes) makes automated execution possible. This is a purpose-built payment gateway tool (not a generic HTTP or browser tool) whose primary and explicit functionality includes sending funds and performing banking/payment operations.