oro-gold

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt describes obtaining an API key and explicitly instructs placing it verbatim in requests (x-api-key header), which would require the agent to handle/output secret values and creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes APIs for buying and selling gold (GRAIL tokens), estimating costs, and managing user/partner purchases and sales (e.g., /trading/estimate/buy, /trading/purchases/user, /trading/sales/user, /trading/purchases/partner, /trading/sales/partner). It also requires wallet-based authentication (message signing, Ed25519) and references tokens, PDAs, custodial vs self-custody, and partner treasury management. These are specific financial/crypto operations (asset trades, wallet signing, treasury management), not generic utilities, so the skill grants direct financial execution authority.