payram-widget-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a client-side script-tag embed that requires placing the merchant API key in the HTML data-api-key attribute (and shows a key-like placeholder), which would force the LLM to echo a user's API key verbatim when generating embed code — an insecure credential-handling pattern.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill embeds a script tag that loads and executes remote JavaScript at runtime from https://payram.com/widget/payram-add-credit-v1.js, which is a required runtime dependency that executes remote code in the host page.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment integration: it provides a script widget (with merchant API key) to accept payments, a Node SDK method payram.initiatePayment, and a documented REST endpoint POST /api/v1/payment (with Authorization Bearer API key) to create payments. It includes settlement tokens/chains, deposit addresses, tx_hash, and webhook flows to confirm and fulfil payments. These are specific, intentional payment APIs (and crypto settlement) for initiating and processing financial transactions — not a generic tool. Therefore it grants direct financial execution capability.