stripe-shop-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs embedding Stripe secret keys into CLI commands and MCP config (e.g., --api-key=sk_test_YOUR_STRIPE_SECRET_KEY), which requires the agent to place secret values verbatim in generated commands/configs and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Stripe payment integration and includes server APIs to create payment intents and checkout sessions, webhook handling, and instructions for configuring Stripe secret keys. It also documents an MCP (Stripe MCP) for AI-assisted Stripe management with capabilities to process payments and refunds, manage customers/products/prices, and perform subscription operations. These are specific payment gateway operations that enable moving money or issuing refunds, so this grants direct financial execution authority.