agent-card

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly exposes decrypted PAN, CVV, and expiry via get_card_details and instructs the agent to present card details to the user when needed, which requires outputting sensitive card data verbatim and therefore creates a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to manage prepaid virtual Visa cards and to perform money-related actions. It exposes create_card (take an amount_cents to create/fund a card), get_funding_status (poll payment/checkout sessions), get_card_details (return PAN/CVV/expiry), check_balance, and close_card (permanently close a card and forfeit remaining balance). These are direct payment/card-issuance operations (not generic tools), including initiating funding and returning sensitive card credentials — therefore it grants direct financial execution capability.