api-onboarding

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt repeatedly instructs showing and pre-filling API keys (including realistic-looking examples like sk_test_abc123, sk_live_..., pre-populated examples and "Here's your test API key..."), which encourages embedding secret values verbatim in generated code/outputs, creating a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes payment gateway functionality in its examples and sandbox guidance: it shows client.payments.create calls with amounts and card numbers, provides test card numbers and behaviors (successful charge, declined, insufficient funds, expired), and references sandbox/production API keys (sk_test_/sk_live_). Those are concrete payment API patterns for creating charges/transactions, so the skill contains direct financial execution capabilities.