bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask for OTPs and API/LLM keys and to construct CLI/HTTP commands that embed those secrets verbatim (e.g., --code , --api-key bk_..., X-API-Key headers), which requires the LLM to output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on open/public third‑party content — e.g., SKILL.md and references (NFT operations and Market Research) accept and act on OpenSea/Manifold URLs and market/social data, and references/agent-profiles.md exposes public tweets via GET /agent-profiles/:identifier/tweets — which the agent is expected to read and which can materially influence trading/transaction actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet agent with built-in write actions. It documents APIs and CLI commands for swaps, transfers, limit/stop-loss orders, leverage trading, cross-chain bridges, token deployment, Polymarket bets, and explicit endpoints to sign and submit transactions (POST /agent/sign and POST /agent/submit). The login flow includes a --read-write flag that enables swaps, transfers, orders, token launches, leverage, and bets. It also shows concrete examples like "Buy $50 of ETH on Base", "Send 0.1 ETH to vitalik.eth", "Submit raw transaction", and CLI/REST examples for submitting and polling jobs. These are direct financial execution capabilities (crypto wallet operations, transaction signing/submission, trading and transfers), not generic tooling.