ops-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to accept user-provided API keys, immediately validate them by embedding them into API requests/commands (e.g., Authorization headers, curl/echo lines) and write them into .env files or CLI commands, which requires handling and outputting secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly integrates with Stripe (a payment gateway). It validates Stripe secret keys via the Stripe API, instructs setting STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET, includes code to create Stripe webhook endpoints (stripe.webhookEndpoints.create), and details Stripe Connect OAuth setup (client IDs, authorize URL). These are specific, payment-gateway APIs and secrets (not generic HTTP or browser automation). Because the skill is explicitly designed to configure and interact with a payment provider (Stripe) and can be given and use platform secret keys, it meets the criteria for Direct Financial Execution authority.