Bankr x402 SDK - Client Patterns

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Bankr client uses an external API by default (noted in .env.example as https://api.bankr.bot) at runtime via bankrClient.promptAndWait, and that API can return prompts/responses and transaction metadata which the skill then executes locally, so the URL directly controls instructions and executable actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for crypto financial operations. It requires a payment wallet private key (BANKR_PRIVATE_KEY), references USDC micropayments, and includes concrete transaction execution code: creating a wallet client (viem), signing/sending blockchain transactions (client.sendTransaction), and examples for token swaps (Swap 0.1 ETH to USDC). These are direct crypto wallet and transaction actions (wallet management, signing, and submitting on-chain), which constitute Direct Financial Execution.