pci-compliance

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes hardcoded secret-like placeholders and explicit assignments (e.g., stripe.api_key = "sk_...", pk_..., example PAN/CVV) and demonstrates embedding secrets directly in code, which encourages handling or outputting secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes payment gateway integration and calls that perform monetary actions: it shows Stripe usage (stripe.api_key = "sk_..."), a charge_with_token method that calls stripe.Charge.create to create charges, and customer/payment-method storage via stripe.Customer.modify. These are concrete payment gateway APIs for creating charges and managing payment methods, which constitute direct financial execution authority.