Skills
skills/b-open-io/bsv-skills/broadcast-arc/Snyk

broadcast-arc

Fail

Audited by Snyk on Mar 14, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes examples and usage patterns that embed API keys and tokens directly in code and CLI arguments (e.g., apiKey: 'mainnet_xxxxxx', --key mainnet_xxxxxx, callbackToken: 'my-secret-token'), which would require the LLM to output secret values verbatim and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to broadcast signed cryptocurrency (BSV) transactions via the ARC broadcaster (e.g., arc.gorillapool.io, api.taal.com). It provides concrete APIs and scripts (ARC, broadcast, broadcastMany, posting to /v1/txs) to submit transactions (including BEEF/EF formats) to the network, and references wallet patterns that produce broadcastable transactions. This is a specific crypto/blockchain execution capability to move funds, not a generic tool, so it grants direct financial execution authority.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 06:21 PM
Issues
2