upgrade-stripe
Guide for upgrading Stripe API versions and SDKs
66
—
Does it follow best practices?
Impact
95%
1.21xAverage score across 2 eval scenarios
Risky
Do not use without reviewing
Security
2 findings — 1 high severity, 1 medium severity. You should review these findings carefully before considering using this skill.
W007: Insecure credential handling detected in skill instructions
What this means
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.
Why it was flagged
Insecure credential handling detected (high risk: 1.00). The prompt includes examples and guidance that embed API keys directly into code and curl commands (e.g., 'sk_test_xxx' in stripe initialization and curl -u), which requires the model to handle/output secret values verbatim and therefore is insecure.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). This documentation is specifically about the Stripe payment gateway and shows concrete API usage (e.g., initializing the Stripe client with an API key, stripe.Customer.create examples, and a curl call to https://api.stripe.com/v1/customers with an sk_test key). It explicitly targets a payment provider (Stripe) and includes code snippets for interacting with its API and mentions Payments/Billing/Connect, so it provides direct, specific capabilities to perform financial operations via a payment gateway.