green-invoice

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill shows and instructs using API key id/secret in a POST body and placing the resulting JWT bearer token verbatim in Authorization headers and curl commands, which requires the LLM to handle and emit secret values directly, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated integration for Green Invoice / Morning, a cloud invoicing and payment-processing API. It includes JWT-authenticated endpoints for creating invoices/receipts, managing clients, adding payment records (with explicit payment types including PayPal, credit card, and bank transfer), and webhook/payment workflows. This is a purpose-built financial API integration (not a generic HTTP/tool) and is explicitly intended for invoice creation and payment processing — i.e., direct financial operations. Therefore it meets the "Direct Financial Execution" criteria.