simple-earn

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires using and signing requests with the apiKey and secretKey (including adding X-MBX-APIKEY and appended signatures) and accepts raw credential files, which forces the agent to read and embed secret values in generated requests/commands if it performs those actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with Binance authenticated trading endpoints: it lists POST endpoints like /sapi/v1/bfusd/subscribe, /sapi/v1/bfusd/redeem, /sapi/v1/simple-earn/flexible/subscribe, /sapi/v1/simple-earn/flexible/redeem, /sapi/v1/rwusd/subscribe, /sapi/v1/rwusd/redeem, etc., labeled as (TRADE). It requires API key and secret, details signing (HMAC SHA256/RSA/Ed25519), and includes instructions for performing transactions on mainnet (including user confirmation). These are specific crypto/financial execution capabilities (subscribing/redeeming assets and executing trades), not generic tooling. Therefore it grants Direct Financial Execution Authority.