tranzila-payment-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit request examples and code that place credentials (e.g., TranzilaPW, X-tranzila-api-app-key, TranzilaTK) directly into API requests and sample commands/POST bodies, which would require the LLM to embed user-supplied secret values verbatim in its outputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment gateway integration for Tranzila. It documents concrete APIs, endpoints, and parameters to create charges (POST to /cgi-bin/tranzila31tk.cgi with supplier, TranzilaPW, TranzilaTK, expdate, sum), process refunds (tranmode=C...), create tokens and charge them later, set up standing orders/recurring billing, generate payment links, and accept Bit payments. These are specific, purpose-built financial execution operations (sending transactions, refunding money, scheduling charges), not generic tooling. Therefore it grants direct financial execution authority.