zyfai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill both instructs agents to programmatically create and store API keys (showing an example apiKey value) and includes examples that inline an apiKey in SDK initialization, which requires the agent to handle and may cause it to output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a DeFi/crypto SDK that performs on-chain money movement and wallet management. It defines and documents methods to deploy subaccounts (deploySafe), accept deposits (depositFunds), send withdrawals (withdrawFunds), create session keys for automated rebalancing (createSessionKey), connect using private keys or WalletClients (including KMS or raw private key usage), and even submit on-chain registration transactions (registerAgentOnIdentityRegistry). It also exposes programmatic API key creation for agents. These are concrete, finance-specific operations (crypto wallet creation, deposits, withdrawals, and transaction submission) — not generic tooling — so the skill grants direct financial execution authority.