bingx-sub-account

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to return API key credentials (e.g., data.apiKey and data.secretKey) back to the user and the example code surfaces API_KEY/SECRET variables, requiring the LLM to handle and output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for managing a crypto exchange (BingX) sub-account and includes write endpoints that move funds and manage financial credentials. It provides APIs to authorize and perform internal transfers and asset transfers (e.g., /openApi/account/transfer/v1/subAccount/transferAsset, /openApi/wallets/v1/capital/subAccountInnerTransfer/apply), create deposit addresses, and create/edit API keys with permissions including Withdraw/Transfer. Those endpoints directly execute financial operations (transfer assets, authorize transfers, create API keys that can enable withdrawals), so it grants direct financial execution authority.