github-copilot

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill exposes GitHub Copilot billing/subscription endpoints (e.g., add/remove seats, assign/remove teams, get billing info) and shows curl calls that create or cancel seats (POST/DELETE to /copilot/billing/selected_users and /copilot/billing/selected_teams). Those API calls directly modify an organization’s subscription and billing state (and thus can change charges), and require billing-management permissions (manage_billing:copilot). Because it explicitly performs subscription/billing actions (not just read-only metrics), it constitutes direct financial execution authority over SaaS billing.