bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask users for OTPs and API/LLM keys and to construct/emit CLI commands and HTTP requests that embed those secrets verbatim (e.g., --code , --api-key bk_..., X-API-Key: ...), so the LLM would need to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public, user-generated content (e.g., tweets via GET /agent-profiles/:identifier/tweets, OpenSea NFT listings, CoinGecko marketCap updates and social sentiment data mentioned in Market Research and Agent Profiles) and the agent is instructed in SKILL.md and references to read/interpret that content as part of market-research and trading workflows that can trigger transactions or automation, so untrusted third‑party content could materially influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet API with built-in transaction capabilities. It defines synchronous Wallet API endpoints for POST /wallet/transfer, /wallet/sign, and /wallet/submit, CLI commands like bankr wallet transfer ..., and natural-language agent prompts that can execute trades (e.g., "Buy $50 of ETH on Base"). It also documents token swaps, limit/stop/DCA/TWAP orders, cross-chain bridging, leverage trading, Polymarket betting, token deployment, and submitting raw transactions. The login flags (--read-write) and API key controls explicitly enable or disable write/transaction permissions. These are specific, purpose-built financial execution tools (crypto wallet operations and transaction submission), so this grants Direct Financial Execution Authority.