spot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires building signed requests and including the X-MBX-APIKEY header (and using the secretKey to create signatures), which forces the agent to use and emit API key/secret material in requests or commands rather than keeping them only in external secure runtime—this is direct handling/exposure of secrets.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Binance Spot trading integration. It requires API key/secret, describes authenticated endpoints for account info and signing requests, and includes endpoints to create, amend, cancel, and query orders (e.g., POST /api/v3/order, /api/v3/orderList, SOR order endpoints). These are direct market-order and account-management operations on a crypto exchange (mainnet/testnet/demo) — i.e., the primary purpose is to move/manage funds and execute trades. This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Market Orders (Buying/Selling stocks or assets)" criteria for Direct Financial Execution.