stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly demonstrates and encourages hardcoding Stripe API keys and webhook secrets (e.g., stripe.api_key = "sk_test_..." and endpoint_secret = "whsec_...") and returns client_secret values in outputs, which requires embedding secret values verbatim in generated code/outputs — a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Stripe payment integration and contains concrete API calls and functions that create and manage payments and billing: checkout sessions, PaymentIntents (confirming payments), subscriptions, customer payment methods, refunds, dispute management, and webhook handlers. These are direct payment gateway operations (Stripe) capable of moving money and managing financial transactions, so it grants Direct Financial Execution authority.