upgrade-stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and encourages embedding API keys inline in code and curl commands (e.g., require('stripe')('sk_test_xxx', ...) and curl -u sk_test_xxx:), which would lead an agent to ask for or output real secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about Stripe, a payment gateway, and includes concrete, actionable API usage: examples showing initialization with a secret key (sk_test_xxx), stripe.Customer.create, a curl call to https://api.stripe.com/v1/customers with authentication, and guidance for setting apiVersion and testing requests. These are specific, payment-gateway operations (not generic tooling) that enable interaction with Stripe's API and could be used to create customers and perform transactions. Therefore it grants direct financial execution capability.