derivatives-trading-usds-futures

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires constructing authenticated requests (including adding the X-MBX-APIKEY header with the API key and signing query strings with the secretKey) and accepts users sending credential files, which forces the agent to handle and embed secret values (or use them directly to compute signatures) in generated requests—an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Binance derivatives trading integration that requires API key/secret and exposes authenticated endpoints that execute trades and modify account state. It includes POST endpoints for New Order (/fapi/v1/order), New Algo Order (/fapi/v1/algoOrder), batch order placement (/fapi/v1/batchOrders POST), order cancellation (/fapi/v1/order DELETE), changing leverage (/fapi/v1/leverage POST), modifying position margin (/fapi/v1/positionMargin POST), convert/acceptQuote endpoints, and other TRADE-scoped actions. It also documents request signing and credentials handling and even workflow rules for confirming mainnet transactions. These are specific, purpose-built financial execution capabilities (placing/canceling/modifying market orders and account funds/settings), so it grants direct financial execution authority.