fiscal

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask for the server password and run a command embedding it as --password , which requires handling and outputting a secret verbatim (high exfiltration risk).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is a purpose-built personal-finance/ budgeting tool that translates user intents into concrete fscl CLI commands that create/import/edit/apply transactions, manage accounts, and auto-sync to an Actual Budget server. It includes write workflows (draft → apply), server login (fscl login --password), and explicit instructions to confirm and execute financial changes. Those are specific, finance-focused execution actions ("send transaction"/apply writes), not generic tooling, so it grants direct financial execution capability.