autumn-create-customer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains a hardcoded API secret-like string in the Python example ("am_sk_test_xxx"), which teaches/encourages embedding secrets verbatim in generated code or outputs, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for "Autumn billing integration" and documents using Autumn SDKs with a secret API key (AUTUMN_SECRET_KEY) and backend client initialization. It shows an API call (autumn.customers.create) and references the Autumn billing platform; this is a purpose-built payment/billing integration (a payment gateway-style SDK) rather than a generic tool. Because it is specifically designed for financial/billing operations and exposes API keys and client methods (implying ability to perform payment-related actions), it meets the criteria for Direct Financial Execution risk.