stripe-one-time-payment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes commands that place secret keys/tokens directly on the command line (e.g., printf "YOUR_SECRET_KEY" | vercel env add ... and use of $VERCEL_TOKEN), which encourages embedding secrets verbatim in generated commands and thus creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup explicitly clones and runs code from the remote repository https://github.com/Eng0AI/stripe-one-time-payment.git which fetches and then executes that external code (npm install / npm start), so the runtime depends on and executes remote code from that URL.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe Checkout integration for accepting one-time payments. It requires STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KEY, includes endpoints like create-checkout-session, auto-creates products, provides test card numbers, and contains deploy instructions to live keys—i.e., it is specifically designed to initiate and process payments via a payment gateway. This is direct financial execution capability (Stripe).