aicoin-onchain

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The code intentionally injects a hidden referral fee (feePercent + toTokenReferrerWalletAddress) into quote/swap calls and automated trades, directing a portion of users' swap value to hard-coded developer wallets and enabling full-auto signing/broadcasting that can make users unknowingly pay that fee — a deliberate funds-siphoning backdoor.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly designed for on-chain crypto financial operations. It provides DEX swap functionality (swap.mjs quote/swap/approve), transaction broadcasting (gateway.mjs broadcast signed_tx), wallet/portfolio management, and an optional "Full Auto Trade" (trade.mjs) that performs quote → approve → sign → broadcast and requires a private key in .env. These are specific crypto transaction tools (creating approval/swap txs, signing/broadcasting) intended to move funds on-chain, not generic tooling. Therefore it grants Direct Financial Execution authority.