cli-reference

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed secret values verbatim in commands (e.g., printf/echo with "phc_xxx", echo 'NEXT_PUBLIC_POSTHOG_KEY=phc_xxx' >> .env.local and curl -H "Authorization: Bearer $POSTHOG_API_KEY"), which instructs copying or outputting secrets directly rather than only referencing environment variables.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes Stripe CLI commands (e.g., creating products and prices, listing production resources, managing webhooks). Stripe is a payment gateway and those commands are specific financial operations (creating prices/products that determine charges). This is a specific tool to perform financial actions, so it grants direct financial execution capability.