spot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires using the apiKey and secretKey to sign requests and include the API key header and also instructs storing/accepting raw credentials (TOOLS.md / upload file), which forces the LLM/agent to handle and potentially output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated Binance Spot trading integration that requires API key + secret and request signing, and exposes authenticated endpoints for placing, amending and cancelling orders (e.g., /api/v3/order POST, /api/v3/order/cancelReplace, SOR order endpoints, cancel all open orders, order lists) as well as account and trade management. Those endpoints explicitly perform market/limit orders and other trading transactions on an exchange, so the tool's primary purpose is to execute financial (crypto) transactions.