alphai-trading

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill includes explicit examples and templates that embed a dex_cookie value directly into HTTP Cookie headers and assigns it inline in generated code (DEX_COOKIE = "你的dex_cookie值"), and it asks to generate calling code "含完整的认证", which would require the LLM to accept and/or output secret credential values verbatim — an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). 该 skill 明确、具体地提供了用于在链上买卖代币的交易接口与调用示例。文档列出了核心下单接口 POST https://b.alph.ai/smart-web-gateway/order/create，包含明确的下单参数（chain、side=BUY/SELL、type=MARKET、buyCoin/buyContract、sellCoin/sellContract、volume、slippage 等）以及响应字段（orderId、交易哈希、成交量、手续费、gas 等）。还提供了可直接运行的 Python 和 JavaScript 示例代码来发送下单请求（买入/卖出）。这些都是专门用于发起和执行加密资产交易（移动资金/下单）的能力，属于“加密/区块链（钱包、交换、签名）”与“发送交易/下单”范畴，因此具有直接金融执行权限。