cardcom-payment-gateway

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and request templates put ApiName/ApiPassword (and tokens) directly into JSON and request bodies, which encourages an agent to insert real credentials verbatim into generated commands or code (exfiltration risk) even though it notes to "store credentials securely".

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment gateway integration (Cardcom) and contains concrete API endpoints and example requests to create payments, tokenize cards, perform token-based charges (recurring billing), process refunds, suspend/activate deals, and generate invoices. It lists specific payment endpoints (e.g., LowProfile.aspx, BillGoldCharge.aspx, BillGoldRefund.aspx, CreateDocument.aspx), credentials, test card data, and sample JSON requests that send transactions and refunds. This is a tool whose primary and explicit purpose is to move money and manage payment tokens, so it meets the criteria for Direct Financial Execution.