stripe-connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill explicitly asks the user to paste their Stripe secret API key into the chat and shows commands that embed the key verbatim (e.g., --set-key "sk_live_..."), which requires the LLM to receive and potentially output secret values directly, creating a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for integrating with Stripe (a payment gateway). It provides specific Stripe-related commands/scripts to set and verify a Secret API key (sk_live_ / sk_test_) and stores that credential for API calls. Although it recommends using a read-only restricted key, the skill explicitly accepts full Stripe secret keys (which permit charges and other financial actions). Because the tool’s primary and explicit purpose is connecting to a payment gateway API (Stripe), it falls under Direct Financial Execution risk.