create-payment-credential

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires the agent to retrieve and output verbatim sensitive payment secrets (card numbers, CVC, passphrases, raw WWW-Authenticate header values / SPTs) and to pass raw header/token values into CLI commands, which forces the LLM to handle secrets in plaintext.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Step 2 of SKILL.md explicitly requires the agent to "Navigate to the merchant page — browse it, read the page content, and understand how the site accepts payment", meaning the agent must fetch and interpret arbitrary public merchant webpages (untrusted third-party content) which directly determines credential type and subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to obtain and use payment credentials to complete purchases. It describes authenticating with Link, creating "spend-request" objects, obtaining one-time-use card details and shared payment tokens (SPTs), retrieving card numbers/CVC/expiry, and using commands like link-cli spend-request create, link-cli spend-request retrieve, and link-cli mpp pay to perform payment flows. These are specific payment APIs/operations (issuing credentials and executing payments), not generic tooling, and therefore grant direct financial execution capability.