fundfarm

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs placing a user-provided API Key into request headers ("Authorization: Bearer <用户提供的 API Key>"), which requires the LLM to handle and embed secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly reads user-generated knowledge stored on the site (see SKILL.md: "knowledge add" writes to the 网页知识库 and "knowledge get --content-only" / "读取知识原文给本地 Agent 分析"), meaning the agent ingests third‑party/untrusted content from the web that can materially influence decisions and subsequent tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). 该 skill 明确提供用于执行真实资金/持仓变更的专用接口与命令，不是通用工具。证据包括 CLI 命令（如 fundfarm trade buy <代码> --amount ... --yes、fundfarm trade sell ...、fundfarm trade cancel、fundfarm holdings import / batch-import、add_to_watchlist、sell_holding、delete_transaction 等）以及 MCP 列表中的写操作工具（add_holding、batch_add_holdings、import_holding、batch_import_holdings、sell_holding、delete_transaction 等）。这些接口直接创建/修改/撤销交易或持仓，且允许 Agent 通过 --yes 或 API Key 方式绕过交互确认，具备发送交易指令的明确能力。尽管有多层安全限制与审计，工具的主要与显式定义即为“发送交易/管理持仓”，因此符合“直接金融执行”定义。