convert

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires building and signing authenticated requests (using the secretKey for HMAC/other signing) and including the API key header, which forces the agent to accept and embed raw credentials (or derived signatures) and thus risks verbatim secret handling and exfiltration.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency conversions and trades on Binance. It exposes authenticated endpoints for trading actions (e.g., /sapi/v1/convert/acceptQuote (TRADE), /sapi/v1/convert/limit/placeOrder (POST), cancelOrder, getQuote and orderStatus) and requires API key/secret and signing of requests. The documentation even details signing requests and mainnet transaction confirmation, showing the agent can initiate and execute asset transfers/trades. This is a direct financial execution capability (crypto trading/wallet operations).