stripe_integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes and uses literal API and webhook secret assignments (e.g., stripe.api_key = "sk_test_..." and endpoint_secret = "whsec_...") which encourages embedding secrets verbatim into generated code/output, creating a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for payment processing via Stripe — a payment gateway. It includes concrete API calls and functions that create payment intents and checkout sessions, create subscriptions, process refunds, attach payment methods, and otherwise initiate and manage monetary transactions (e.g., stripe.checkout.Session.create, stripe.PaymentIntent.create/confirm, stripe.Subscription.create, stripe.Refund.create, stripe.PaymentMethod.attach). These are specific, purpose-built financial operations (sending charges, issuing refunds, managing billing), not generic tooling. Therefore it grants direct financial execution capability.