portfolio

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes "npx starkfi@latest" at runtime which fetches and executes the remote npm package (e.g. https://registry.npmjs.org/starkfi), so external code from that URL is executed and required for the skill to run.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports automated portfolio rebalancing that executes on-chain batch swaps: it requires "sufficient token balances + gas for batch swap transactions", provides a concrete command to run portfolio-rebalance (npx starkfi@latest portfolio-rebalance --target ...) with an execution step after simulation, and shows checking tx status (npx starkfi@latest tx-status ). These are direct crypto/blockchain transaction operations (swaps/signing/execution), not just read-only or generic tooling. Therefore it grants direct financial execution capability.