gift-card-issuance

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the agent to emit the issued gift card code and identifiers verbatim in session summaries and JSON outputs, which are sensitive, token-like secrets tied to monetary value and therefore require the LLM to handle secret values directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to create/store monetary value: it programmatically issues Shopify gift cards via the Shopify GraphQL mutation giftCardCreate, requires the write_gift_cards API scope, and contains safety notes that giftCardCreate "issues real monetary value" that is immediately redeemable. This is a specific financial operation (creating/crediting store-value), not a generic capability, so it qualifies as direct financial execution. The presence of an actual mutation named GiftCardCreate and required auth scopes confirms it can move monetary value.