gmx-trading

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an example that hardcodes a private key literal (privateKeyToAccount("0xYOUR_PRIVATE_KEY")), which encourages embedding secret values verbatim in code and thus poses a significant exfiltration risk despite other examples using environment variables.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading integration with built-in write operations. It documents SDK setup for signing transactions (privateKeyToAccount, walletClient), configuring an account/walletClient, and convenience and low-level methods that submit on-chain trades: sdk.orders.long(), short(), swap(), createIncreaseOrder(), createDecreaseOrder(), createSwapOrder(), plus parameters for payAmount, leverage, allowedSlippage, etc. It also describes subaccounts and express signing/delegation for instant execution. These are direct crypto/blockchain financial execution capabilities (wallet signing, swaps, leveraged market orders), not generic tooling.