sub-account

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt requires users to provide raw API key and secret and tells the agent to sign requests and include the X-MBX-APIKEY header (and build signatures using the secret), which forces the LLM to handle and embed secret values or derived signatures in generated requests, creating exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Binance sub-account management and includes authenticated endpoints that perform asset transfers, futures transfers, margin transfers, internal/sub-to-sub/sub-to-master transfers, universal transfers, managed-subaccount deposits and withdrawals, and move-position operations. It requires API key/secret and signing of requests, i.e., it is specifically designed to move crypto assets and execute account transactions. These are direct financial execution capabilities.