spot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the agent to accept API key and secret, build and emit authenticated request bodies (including the api_key and HMAC sig derived from the secret) and to accept credential files — forcing the LLM to handle and include credential values verbatim in generated requests, which is an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Crypto.com Exchange Spot API integration with authenticated private endpoints that perform trading and wallet operations. It includes endpoints to create orders (private/create-order, private/advanced/*), cancel orders, create withdrawals (private/create-withdrawal), transfer between accounts (private/create-subaccount-transfer), and view/manage balances — all of which are specific tools to move funds or execute market orders. Authentication with API key/secret and signing is required, confirming it is designed for direct financial execution.