onchain-pay-open-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read/store API_KEY and PEM_PATH and explicitly constructs a bash command that embeds CLIENT_ID/API_KEY/PEM_PATH as command-line arguments, requiring the LLM to handle and potentially output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to perform fiat-to-crypto financial operations with Binance Onchain‑Pay. It exposes endpoints to get payment methods and real-time quotes, create buy pre-orders (pre-order / buy endpoints), and query order status. The pre-order API creates purchase orders and returns payment redirect links; customization flags (e.g., SKIP_CASHIER, SEND_PRIMARY, ON_CHAIN_PROXY_MODE) enable skipping checkout, auto-triggering buy+send, and even executing on‑chain smart contract interactions after purchase. The skill describes signing and calling the API with credentials (API key, client id, RSA private key) and instructs the agent to execute requests. These are specific APIs intended to move money/crypto (create and manage buy orders and on-chain interactions), not generic tooling—so this grants Direct Financial Execution capability.