bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask for OTPs and API keys and construct/run commands or curl requests that embed those values verbatim (e.g., --code , --api-key bk_..., X-API-Key headers), which requires the LLM to handle and output secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's docs explicitly accept and act on user-provided public URLs and social media data (e.g., "Provide the mint page URL and Bankr handles the transaction" in NFT operations, OpenSea/Manifold/Polymarket integrations, and "Twitter sentiment" / "social sentiment analysis" in Market Research), showing the agent will fetch and interpret untrusted third-party web and social content which can directly influence trades and transactions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet agent with built-in write capabilities. It documents APIs and CLI commands for swaps, buys/sells, transfers, bridging, limit/stop-loss orders, leverage trading, Polymarket bets, token deployment, signing and submitting raw transactions, and synchronous endpoints (/agent/sign and /agent/submit). It also describes read-write API keys that enable these operations. These are specific, purpose-built financial execution functions (crypto wallet operations, transaction signing/submission, market orders and transfers), so it grants direct financial execution authority.