mcp-payment-pix

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt shows examples embedding access tokens directly into MCP configuration and command arguments (env values and an Authorization header), which encourages placing secret values verbatim into generated configs/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's MCP setup runs remote code at runtime via "npx -y kobana-mcp-payment" (which fetches and executes the kobana-mcp-payment package) and also supports a remote MCP endpoint ("https://mcp.kobana.com.br/payment/mcp") that the agent connects to to receive tool behaviors, so external content is fetched/executed and controls the agent's runtime tools.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform real payments via the kobana-mcp-payment MCP server. It exposes targeted financial actions: create_payment_pix, create_payment_pix_batch, approve_payment_batch, cancel_payment_pix, list_financial_accounts, get_financial_account, etc. These are bank/payment operations (Pix payments, batching and approval) that directly move or authorize transfer of funds—not generic HTTP or browser tooling. This matches the “banking APIs / payment gateway” category and therefore grants Direct Financial Execution capability.