catalog-kit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes numerous examples and workflows that embed API keys and secret tokens verbatim (e.g., curl -H "Authorization: Bearer cfk_...", export CATALOG_KIT_TOKEN="cfk_...", STRIPE_SECRET_KEY=sk_test_...), and it describes managing/rotating keys and asking/setting tokens in CLI calls—patterns that require an agent to accept and output secret values verbatim, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows loading and executing untrusted third‑party content — e.g., external scripts via settings.scripts (https://cdn.example.com/my-components.js) that register on window.__catalogkit_components, inline tags in html components, and arbitrary iframe src URLs — all of which run code that can call the CatalogKit API (kit.setField, kit.on('beforenext', etc.) and thus can change navigation, validation, and agent-visible state.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill includes explicit, built-in payment gateway functionality (Stripe). It exposes API endpoints and configuration for Stripe secret & publishable keys, creates Stripe Checkout sessions / PaymentIntents (/checkout/session, /checkout/intent), supports captures/authorization holds, trial billing flows, customer reuse, Stripe webhooks, and client-side bridge methods (kit.startCheckout, kit.setStripeCustomerId, kit.setClientReferenceId, cart payment item overrides) that let an agent assemble a cart and trigger real checkouts. Those are specific payment execution primitives (creating/confirming charges, authorizations, and checkout sessions) — not generic HTTP or browser automation — so this skill grants direct financial execution authority.