Skills
skills/coinstatshq/coinstats-cli/coinstats-portfolio/Snyk

coinstats-portfolio

Fail

Audited by Snyk on Mar 10, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill instructs using an API key passed directly on the command line (coinstats login --api-key <key>), which requires the agent to include the secret verbatim in a command and is therefore insecure.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a crypto portfolio tool (CoinStats) with commands for connecting wallets and managing transactions: "portfolio connect-wallet" and "portfolio add-transaction" (plus sync/delete). This is a domain-specific financial integration for crypto wallets/transactions rather than a generic browser or HTTP tool, and the presence of wallet/transaction management fits the listed crypto/blockchain criteria for Direct Financial Execution.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 02:07 PM