blindpay

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly shows using an API key passed as "Authorization: Bearer YOUR_API_KEY" in a curl example and describes putting the API key in the request URL/header, which encourages embedding secrets verbatim in generated commands or code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments integration (BlindPay) with APIs to perform real financial operations: creating payin/payout quotes, executing payouts (stablecoin → fiat) and payins (fiat → stablecoin), ERC20 approvals, managing bank accounts/virtual accounts, receiver KYC, and supported banking rails (ACH, Wire, PIX, SWIFT) and blockchain networks. It includes authentication and example API calls for executing transfers. These are specific, purpose-built financial execution capabilities (crypto wallet operations + bank transfers), so it meets the "Direct Financial Execution" criterion.