bybit-v5

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks for and shows API keys and secret keys being inserted into scripts, curl headers, WebSocket auth args, and stored in TOOLS.md (with examples like API_KEY="your_api_key" and SECRET_KEY="your_secret_key"), which requires the agent to handle and could cause it to output secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated Bybit V5 trading/asset-management integration and explicitly exposes authenticated write endpoints that move money or crypto: e.g., placing/cancelling/amending orders (/v5/order/create, /v5/order/cancel, batch endpoints), withdrawals (/v5/asset/withdraw/create, /v5/asset/withdraw/cancel), internal/universal transfers (/v5/asset/transfer/inter-transfer, /v5/asset/transfer/universal-transfer), fiat execute (/v5/fiat/trade-execute), convert/convert-execute, leverage token purchase/redeem, crypto-loan borrow/repay, lending deposit/redeem, broker voucher distribution, and many other account/asset write operations. It also specifies HMAC-SHA256 signing and API-key headers for authenticated actions and has explicit mainnet write confirmation rules. These are specific financial execution capabilities (not generic tooling) designed to move funds and execute market transactions.