crypto-com-app

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill mandates running "npx tsx" at runtime (noting "tsx is fetched automatically by npx"), which will fetch and execute the remote "tsx" package from the npm registry (e.g. https://registry.npmjs.org/tsx), meaning required remote code is downloaded and executed to run the skill's scripts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency financial operations via the Crypto.com App API. It exposes specific, named commands to get quotations and to confirm/execute trades (npx tsx ... trade.ts quote / confirm), supports buy/sell/swap/exchange flows, requires API credentials (CDC_API_KEY / CDC_API_SECRET) and signed requests, and can auto-execute orders (opt-out of confirmations). It also includes account actions that affect funds (resolve-source, balances, revoke-key/kill switch). This is a purpose-built crypto trading integration (not a generic tool) and therefore grants direct financial execution authority (crypto trading and wallet operations, including transaction creation/execution and key revocation).