dca

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires running "npx starkfi@latest" (which fetches and executes the "starkfi" package from the npm registry, e.g. https://registry.npmjs.org/starkfi) at runtime, so remote code is fetched and executed as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform crypto financial operations on Starknet: it creates, previews, lists, and cancels recurring DCA buy orders that swap one token for another, requires an on-chain deployed account and sufficient balances, and references transaction lifecycle commands (e.g., dca-create, dca-cancel, tx-status). It targets specific DCA providers (avnu, ekubo) and includes flags to simulate vs broadcast, so its primary and explicit function is to send blockchain transactions that move funds (token swaps / scheduled buys).