hostinger-tools

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes multiple example commands that embed plaintext passwords and an SSH key as command-line arguments (e.g., --password "SecurePass123!"), which requires including secret values verbatim and thus presents an exfiltration risk despite mentioning an env var for HOSTINGER_TOKEN.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes Hostinger billing APIs that explicitly modify payment/billing state: commands include billing-payment-method-set-default, billing-payment-method-delete, billing-subscription-cancel, billing-auto-renewal-enable/disable (and other billing-management operations). These are specific financial/billing actions (changing payment methods and cancelling subscriptions/renewals) rather than generic browsing or inspection, and thus constitute direct financial execution capability.