stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt demonstrates and encourages embedding API keys and webhook secrets as string literals (e.g., stripe.api_key = "sk_test_...", endpoint_secret = 'whsec_...') and returning client_secret values, which requires the agent to handle and potentially output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to integrate with Stripe (a payment gateway) and includes concrete API calls that create payments, subscriptions, refunds, and manage customer payment methods (e.g., stripe.checkout.Session.create, stripe.PaymentIntent.create/confirm, stripe.Subscription.create, stripe.Refund.create, stripe.PaymentMethod.attach). These are direct financial execution operations — not generic tooling — and can initiate or modify money movement and billing. Therefore it grants direct financial execution authority.