pricing-strategy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs embedding an Authorization Bearer token in a CLI command (--header "Authorization: Bearer key_your_api_key_here"), which encourages outputting API keys verbatim and thus risks secret exfiltration.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is specifically about monetisation and billing and explicitly references and integrates payment systems. It names payment providers (Stripe, Paddle, PayPal), recommends Credyt as a payments/real-time usage-billing provider, and instructs running setup commands (e.g., /credyt:setup and an npx add-mcp command including an Authorization: Bearer key). It describes Credyt features that perform real financial actions (recurring subscriptions, real-time prepaid wallets, instant debit per event, entitlements). Those are specific financial execution integrations rather than generic tooling, so this skill grants Direct Financial Execution capability.