interswitch-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes literal API-key/secret-like values in the .env example and shows how to embed them into auth headers (Base64 Basic and Bearer flows), which encourages the agent to output or copy secrets verbatim rather than keeping them only in environment variables.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). Flagged items (actual, high-entropy credentials found):
• TEST_CLIENT_ID=IKIAB23A4E2756605C1ABC33CE3C287E27267F660D61 — long, random-looking client id present in the .env (appears usable).
• CARD_API_CLIENT_ID=IKIA3B827951EA3EC2E193C51DA1D22988F055FD27DE — long, random-looking client id present in the .env (appears usable).
• CARD_API_SECRET_KEY=ajkdpGiF6PHVrwK — random-looking secret value (high entropy) present in the .env (appears usable).

Ignored items (not flagged) and why:

• TEST_SECRET_KEY=secret — low-entropy/simple string (documentation/example); ignored as a setup placeholder.
• TEST_MERCHANT_CODE=MX6072 and CARD_API_MERCHANT_CODE=MX21696 and CARD_API_PAY_ITEM_ID=4177785 and PAY_ITEM_ID=9405967 — numeric/short merchant/pay item identifiers, not high-entropy secrets.
• LIVE_CLIENT_ID, LIVE_SECRET_KEY, LIVE_MERCHANT_CODE — clearly placeholders ("your_live_*"); ignored.
• DEFAULT_WALLET_PIN=1234 — low-security PIN/setup password; explicitly excluded per policy.
• Environment variable names, URLs, and any code that references clientId/secretKey without providing literal values are ignored per the rules.

Conclusion: there are literal, high-entropy credential values present in the .env block (the two client IDs and one secret key) that should be treated as secrets and removed/rotated if they are real.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment integration for Interswitch: it provides OAuth client-credentials flows, passport/collections/web-checkout endpoints, environment variables for TEST/LIVE client IDs, secret keys, merchant codes and pay_item IDs, and TypeScript helpers (generateAccessToken, getAuthHeaders, interswitchRequest, collections auth, InterswitchAuth signature) to authenticate and make API calls such as wallet-pay and split settlement. These are specific payment-gateway capabilities (not generic tooling) that enable sending financial transactions. Therefore it grants direct financial execution authority.