margin-trading

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the agent to accept raw API key and secret, use the secret to sign requests and include the API key in the X-MBX-APIKEY header (i.e., embed credentials into generated requests), which requires the LLM to handle and potentially output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Binance margin-trading integration that requires API key/secret and supports authenticated trading and fund-management endpoints. It includes POST endpoints for placing orders (/sapi/v1/margin/order, orderList/OTO/OCO/OTOCO), borrowing/repaying (/sapi/v1/margin/borrow-repay), transfers, manual liquidation (/sapi/v1/margin/manual-liquidation), small-liability exchanges, cancelling orders, and creating special API keys. It also documents request signing and headers for executing authenticated transactions. These are direct financial execution actions (placing/cancelling trades, moving/borrowing/repaying assets), not generic tooling.