vip-loan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires the agent to accept raw API key and secret inputs and to build/send signed requests (including the X-MBX-APIKEY header and producing HMAC signatures), and it even instructs storing/reading credential files, which means the LLM would need to handle or embed secret values (or derived signatures) in generated requests/commands—creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform Binance VIP loan operations using authenticated API endpoints. It includes POST endpoints that execute financial actions (e.g., /sapi/v1/loan/vip/borrow, /sapi/v1/loan/vip/renew, /sapi/v1/loan/vip/repay) and requires API key/secret and request signing. Those are direct crypto/financial transaction capabilities (move/borrow/repay funds), so it grants Direct Financial Execution authority.