stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains code that hardcodes API keys and webhook secrets as string literals (e.g., stripe.api_key = "sk_test_...", endpoint_secret = "whsec_..."), which encourages embedding secret values verbatim in generated code and thus risks secret exposure.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe payment-integration module. It contains concrete, specific API usage for payment gateways (Stripe): creating checkout sessions and PaymentIntents, creating subscriptions, attaching payment methods, issuing refunds (stripe.Refund.create / create_refund), and handling webhook events tied to payment outcomes. These are direct financial execution operations (charging customers, refunding, managing subscriptions/payment methods), so it meets the "Payment Gateways" criterion for Direct Financial Execution.