manage-bap-backup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed secrets verbatim (master WIFs in backup JSON and a CLI example passing -p "password"), which would require an LLM to include secret values directly in generated commands or code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly handles crypto private keys and wallet identity material: it describes exporting/importing master backups containing rootPk (WIF or xprv), member derived private keys, functions to read/get addresses (getCurrentAddress, rootAddress), and exposes stable member WIFs used for signing (auth tokens and identity signing). It uses a specific Bitcoin identity library (bsv-bap) and key-derivation flows; these are concrete crypto wallet/signing capabilities (not generic tooling). Because it directly manages keys that can sign transactions and reconstruct wallets/identities, it meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for direct financial execution authority.