upgrade-stripe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains examples that embed API keys directly in code and curl commands (e.g., require('stripe')('sk_test_xxx') and curl -u sk_test_xxx:), which instructs including secrets verbatim in outputs and therefore poses an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about Stripe (a payment gateway) and contains Stripe-specific configuration and API usage, including code examples with secret API keys, an example curl request to the /v1/customers endpoint, and instructions to set apiVersion and perform SDK operations. This is a targeted integration for a payment gateway (Stripe), i.e., a specific tool to perform financial operations rather than a generic interface, so it grants direct financial execution capability.