didit-proof-of-address

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and usage require supplying the x-api-key (and show embedding API keys/passwords directly in request headers, code snippets, and registration flows that return an api_key), which encourages the LLM to include secret values verbatim in generated requests or commands.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is primarily for proof-of-address verification, but it explicitly includes billing endpoints: GET /v3/billing/balance/ and POST /v3/billing/top-up/ with an amount_in_dollars to generate a Stripe checkout link. This is a specific payment integration (Stripe) and a direct billing/top-up action, which meets the "Payment Gateways" criterion for Direct Financial Execution.