stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit commands that set or embed secret values on the command line (e.g., npx convex env set --prod STRIPE_WEBHOOK_SECRET "$(printf '%s' 'whsec_...')") and requires comparing/reading STRIPE_SECRET_KEY, which forces handling and potentially outputting secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically built to manage Stripe payment flows and account configuration. It references the stripe package and STRIPE_* secrets, runs stripe CLI commands (e.g., stripe events list), creates and verifies checkout sessions (including using test card 4242 4242 4242 4242), inspects/creates subscriptions, updates webhook secrets and dashboard settings, and provides subscription lifecycle actions (cancel, resume, update payment method). These are direct Payment Gateway operations (Stripe) that create, modify, and verify financial transactions/subscriptions—i.e., direct financial execution capability.