medusa

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit plaintext secrets and commands that pass passwords on the command line (e.g., npx medusa user -e admin@example.com -p supersecret, password123, JWT_SECRET placeholders), which requires or encourages emitting secret values verbatim in output and is an insecure pattern.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes payment gateway integration: a "Payment Integration" section shows installing @medusajs/payment-stripe, configuring it in medusa-config with STRIPE_API_KEY, and admin instructions to add Stripe as a payment provider. The Store API also includes endpoints to complete carts/create orders (POST /store/carts/{cart.id}/complete), which together indicate the skill is designed to process payments via Stripe. This is a specific financial execution capability (payment gateway).