key-derivation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and usage patterns embed private keys, WIFs, xprv strings, and mnemonics directly into code (e.g., PrivateKey.fromWif("L1..."), HD.fromString("xprv..."), Mnemonic.fromString("word1...")), which forces handling or outputting secret values verbatim and thus poses high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly about cryptocurrency key management for BSV: creating master private keys from mnemonics/WIF, deriving child keys/addresses (Type42/BIP32), counterparty shared keys for payments, and signing/encryption via the bsv-bap library. It references specific wallet APIs and functions (e.g., PrivateKey.fromWif, HD.fromString, deriveChild, Mnemonic.toSeed, identity.signMessage) that directly enable control of blockchain keys and signing—i.e., wallet operations. This is a specific crypto/blockchain wallet capability (not a generic tool), so it constitutes Direct Financial Execution authority.