bingx-sub-account

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires signed requests using apiKey/secretKey and explicitly instructs the agent to return API keys/secretKey (e.g., from create API Key responses), which forces the LLM to handle and output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for managing a crypto exchange's sub-accounts (BingX) and includes authenticated write endpoints that move or enable movement of funds. Examples: POST /openApi/wallets/v1/capital/subAccountInnerTransfer/apply (sub-account internal transfer), POST /openApi/account/transfer/v1/subAccount/transferAsset (sub-account asset transfer) and parameters like assetName/transferAmount/fromUid/toUid. It also supports creating API keys with permissions including Withdraw (5) and internal transfer (7), creating deposit addresses, and querying deposit/transfer records. These are specific financial operations (crypto asset transfers and account fund management), not generic tooling, so it grants Direct Financial Execution authority.