gigaverse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes insecure examples that embed secrets verbatim (e.g., passing a private key as ./scripts/setup-wallet.sh import "0x..." and submitting a signature string in a curl -d JSON payload), which would require the agent to output secret values directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes crypto wallet creation/import, private key storage, and signing-based authentication and onchain actions. It provides scripts to generate/import wallets (scripts/setup-wallet.sh), stores the private key in ~/.secrets/gigaverse-private-key.txt, and instructs signing SIWE messages and submitting them to the API (scripts/auth.sh / manual SIWE flow). It also describes onchain operations such as "Mint Noob" and references mint/onchain flows and APIs. These are specific crypto/blockchain capabilities (wallets and signing) that enable moving or controlling funds/assets, not merely generic tooling. Therefore it meets the crypto/wallet/signing criteria for Direct Financial Execution.