bitflow

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly permits/unambiguously documents passing wallet passwords inline via flags like --wallet-password (and shows examples), which can force the LLM to emit secret values verbatim in commands/outputs, creating a high exfiltration risk; API keys are handled more safely via placeholders or env vars but the inline password option is the main insecure pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The CLI repeatedly calls public Bitflow endpoints via getBitflowService (e.g., bitflowService.getSwapQuote, getTicker, getHodlmmPools in bitflow.ts and SKILL.md) to fetch live, third-party market/pool data which the agent reads and uses to rank routes and decide/execute swaps, so untrusted external responses can materially influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides crypto financial execution features: token swaps, liquidity adds/withdrawals, keeper automated orders, and creating/cancelling orders — all on mainnet. Write operations require an unlocked wallet or wallet password, and swap/create-order return transaction IDs and execute on-chain. These are specific blockchain payment/transaction capabilities (wallet signing, swaps, managing funds), not generic tooling, so it grants direct financial execution authority.