bybit-trading

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly performs runtime fetches (curl) from https://api.bybit.com/skill/manifest and https://raw.githubusercontent.com/bybit-exchange/skills/main/ to download SKILL.md and module files which are then loaded and used as agent modules/instructions, so remote content can directly control the agent's behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Bybit trading integration with built-in capabilities to execute market actions. It requires API keys/secret, explains HMAC signature construction, provides concrete POST examples (e.g., POST /v5/order/create to place orders), includes modules for spot/derivatives/account/withdraw/transfer, and defines full Mainnet write-operation confirmation and execution flows. This is a purpose-built financial execution tool (crypto exchange market orders, account/wallet operations and signing), not a generic interface — therefore it grants Direct Financial Execution Authority.