webpay-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill embeds actual API credentials (Tbk-Api-Key-Id and Tbk-Api-Key-Secret) directly in headers, code examples, and curl commands, which forces the LLM to include secret values verbatim in generated outputs (high exfiltration risk).

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for literal, high-entropy values used as credentials. The document includes explicit "Integration Test Credentials" and repeats them throughout (headers, code examples, cURL). The Tbk-Api-Key-Secret value (579B532A7440BB0C9079DED94D31EA1615BACEB56610332264630D42D0A36B1C) is a high-entropy, 64-character hex string and is directly present — this qualifies as a secret by the provided definition. The Tbk-Api-Key-Id (597055555532) is a commerce code used as the API key id; it’s lower entropy but is a usable credential when paired with the secret. Note: the document labels these as integration (testing) credentials intended for developers, but they are real, directly usable values for the integration environment and therefore should be treated as secrets in a repository.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payment-integration for the Transbank Webpay Plus gateway. It defines REST endpoints and concrete operations to create payment transactions, confirm/commit payments, capture deferred payments, issue refunds/reversals, and query transaction status. It includes integration and production base URLs, API header credentials, test credentials, request/response formats, and code/cURL examples that perform live money-moving actions (create/commit/refund/capture). This is a specific payment gateway integration (not a generic API or browser automation), so it grants direct financial execution authority.