spaceship-domains

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's example workflows require passing sensitive values verbatim (e.g., transfer_domain({ authCode: "EPP-CODE" }) and TXT/DKIM values) as parameters to API/tool calls, which forces the agent to accept and embed secrets directly in its outputs/requests.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes domain lifecycle operations that explicitly perform paid transactions: register_domain, renew_domain, restore_domain, transfer_domain (all marked async + financial). It also includes SellerHub marketplace actions (create_sellerhub_domain with binPrice, create_checkout_link for buyNow) and a note warning "Financial operations: Registration, renewal, restore, and transfer cost money — always confirm with the user before executing." These are specific, non-generic endpoints intended to initiate money-moving operations (registrations, renewals, transfers, marketplace purchases), so the skill grants direct financial execution capability.