opentrade-transaction

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires embedding user-supplied sensitive values (e.g., full "signedTx" hex/base58) into request bodies/commands (shown in curl -d examples), which forces the LLM to handle and potentially output secrets verbatim (even though the API token is shown as an env var, the signed transaction itself is a secret that must not be exfiltrated).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill explicitly provides on-chain transaction operations for cryptocurrency networks: gas price/lookups, gas-limit estimation, transaction simulation, and—critically—an API to broadcast a signed transaction (POST /gateway/broadcast with signedTx, chainIndex, address) and to track order/tx status. It targets specific chains (Ethereum, Solana, XLayer, BSC, Polygon, etc.) and is explicitly the "final mile" to send a signed transaction on-chain. Even though it does not sign transactions itself, it is designed to transmit/send transactions (move crypto) on behalf of the user. Under the decision logic ("Send Transaction" = 1) and the crypto/blockchain criteria (wallets/swaps/signing/broadcasting), this skill grants direct financial execution capability.