fix-stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs retrieving a Stripe webhook secret via the CLI and adding it verbatim to .env.local (and shows hardcoded key examples), which requires the agent to handle and potentially output secret values directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to operate on a payment gateway (Stripe). It contains Stripe-specific APIs and code examples (initializing Stripe with secret key, stripe.webhooks.constructEvent, stripe.billingPortal.sessions.create), instructions to manage webhook secrets and secret keys, subscription checks, and CLI commands like stripe listen / stripe trigger. These are specific, non-generic payment-integration operations rather than a general-purpose tool, so it grants direct financial execution/management capability.