stripe-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys and webhook secrets directly in code (e.g., stripe.api_key = "sk_test_...", Stripe("pk_test_..."), endpoint_secret = 'whsec_...'), which encourages or requires the model to output secret values verbatim and thus poses high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to perform payment operations via Stripe: it includes direct API calls and code samples to create checkout sessions, PaymentIntents, subscriptions, charge confirmations, refunds, attach/manage payment methods, and handle disputes/webhooks. These are concrete payment-execution and money-management functions (charging customers, creating subscriptions, issuing refunds), so it grants direct financial execution capability.