mercadopago-subscriptions

This skill/document describes a standard, server-side implementation pattern for MercadoPago recurring subscriptions and, at the documentation level, does not contain direct malicious code or obvious supply-chain attack vectors. The main risks are operational: handling and protecting high-value secrets (MP_ACCESS_TOKEN, MP_WEBHOOK_SECRET, RESEND_API_KEY), ensuring correct webhook verification, avoiding logging sensitive fields, limiting the Supabase service-role privilege scope, and implementing idempotency and retries correctly to avoid duplicate charges. If implemented per best practices (secure secret storage, strict logging/redaction, least-privilege service accounts, robust webhook verification, and careful idempotency handling), the design is appropriate. Misimplementation or secrets leakage would present significant financial and data risks.