stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes literal API keys and webhook secrets in examples and curl commands (e.g., Authorization: Bearer sk_test_emulated, secret: whsec_test) and shows hardcoding them in config, which encourages or requires emitting secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit Stripe API emulator designed for payment operations: it exposes endpoints and SDK integrations for creating payment intents, checkout sessions, charges, customers, and confirming/canceling payments (and firing payment-related webhooks). Even though it emulates payments locally (no real money moves), its primary and explicit purpose is to perform payment gateway actions (Stripe-like transaction creation/confirmation), which qualifies as direct financial execution capability.