charge-pix

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill instructs users to paste their real Kobana API token directly into CLI/config JSON and shows examples embedding "Authorization: Bearer your_access_token" (and warns pasting is required for Claude Desktop), which requires the agent to handle or output secret values verbatim and is therefore high risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to manage payments: it provides MCP tools and REST API endpoints to create, update, cancel Pix charges, create/list payments, and manage Pix accounts (e.g., tools like create_charge_pix, cancel_charge_pix, and API endpoints POST /v2/charge/pix and POST /v2/charge/payments). These are direct payment/Gateway operations for the Pix system (a real financial payment rail), not generic tooling. Therefore it grants direct financial execution capability.