stripe-payments

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes hardcoded API keys and webhook secrets in code examples (e.g., stripe.api_key = "sk_test_...", Stripe('pk_test_...'), 'whsec_...'), which encourages embedding secret values verbatim in generated code or commands and thus creates exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe payment integration and contains concrete APIs and code to create payment flows, payment intents, checkout sessions, subscriptions, billing-portal sessions, and refunds (e.g., stripe.checkout.Session.create, stripe.PaymentIntent.create, stripe.Refund.create). It uses secret API keys and webhook handling to process and confirm payments. These are specific financial execution functions (moving money, charging cards, issuing refunds, managing subscriptions), not generic tooling.