ship-credits

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly integrates with payment gateways and implements endpoints that create checkout sessions and handle payment webhooks (Stripe, Lemon Squeezy, Dodo). It requires secret API keys (e.g., STRIPE_SECRET_KEY, webhook secrets), creates checkout sessions, verifies signatures, performs idempotency checks, and programmatically calls add_credits on successful payments. These are specific, explicit financial execution actions (creating payment sessions and crediting accounts) — not generic tooling — so it grants direct financial execution capability.