assets

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires the agent to include the X-MBX-APIKEY header and to sign requests with the secretKey (appending the signature), which forces the LLM to handle and emit API key/secret-derived values in generated requests.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Binance asset-management integration and includes authenticated endpoints and actions that move funds. It requires API key/secret and details signing requests. Concrete POST endpoints listed allow financial execution (e.g., /sapi/v1/capital/withdraw/apply for withdrawals, /sapi/v1/asset/transfer for transfers, dust-convert/convert, broker/localentity withdraw endpoints, enable/disable fast withdraw switch, etc.). The documentation even instructs how to sign and send requests and how to provide/stored credentials. These are specific crypto/ exchange wallet operations (not generic tooling) that can initiate transactions, so the skill provides direct financial execution capability.