derivatives-trading-portfolio-margin

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to accept raw API key/secret files and to sign requests and include the X-MBX-APIKEY header (and append signatures), which requires the agent to handle and potentially emit API keys/signatures verbatim, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is specifically designed to interact with Binance trading APIs and includes authenticated endpoints for creating, modifying, and canceling orders, transferring funds, borrowing/repaying margin, and other account actions. Examples of explicit financial execution capabilities present in the skill: POST /papi/v1/cm/order (New CM Order), POST /papi/v1/um/order (New UM Order), POST /papi/v1/margin/order (New Margin Order), POST /papi/v1/marginLoan (Margin Account Borrow), POST /papi/v1/margin/repay-debt and /papi/v1/repayLoan (Repay), POST /papi/v1/bnb-transfer (BNB transfer), POST /papi/v1/repay-futures-negative-balance (Repay futures negative balance), plus many other TRADE/MARGIN endpoints. It requires API key and secret and documents signing and submitting transactions (HMAC SHA256/etc.), including rules for confirming mainnet transactions. This is not a generic tool—its primary and explicit purpose is to move money / execute market orders on a crypto exchange. Therefore it meets the criteria for Direct Financial Execution.