message-signing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows and encourages using raw WIF/private keys (e.g., PrivateKey.fromWif("L1..."), rootPk: wif) directly in code/examples, which requires handling and potentially outputting secret key material verbatim, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Bitcoin SV cryptographic signing and transaction-bound signing: it shows use of PrivateKey.fromWif, SignedMessage/BSM, WalletSigner (BRC-100 wallet), Sigma.sign which returns signedTx, and an inscribe action that "handles anchor tx construction, sigma hash computation, and broadcast automatically." Those are explicit blockchain wallet/signing and transaction-create/broadcast operations (wallet signers, raw private keys, and broadcasting transactions), which qualify as direct crypto/blockchain execution capability.