alpha

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the user to supply raw API key/secret (via file), instructs storing them and adding the API key directly to request headers (X-MBX-APIKEY) and using the secretKey for signing, which requires the model to receive and embed secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built around the Binance trading API: it requires API key and secret, describes authenticated/signed requests (HMAC SHA256/RSA/Ed25519), includes account storage and handling, and contains explicit behavior for performing transactions on mainnet (including a required "CONFIRM" step). These are specific crypto/exchange integration capabilities (signed trading/transaction endpoints), i.e., direct financial execution authority rather than a generic tool. Therefore it meets the criteria for Direct Financial Execution.