spot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.95). The skill requires the agent to accept API key and secret input and to construct signed authenticated requests (including AccessKeyId in query and a signature computed with the secret), which forces the model to handle and embed credential-derived values in its outputs.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a spot trading integration for HTX/Huobi with authenticated endpoints and signing logic. It includes API operations that move money or assets: placing orders (/v1/order/orders/place), cancelling orders, batch cancels, conditional orders, account transfers (/v1/account/transfer, /v1/futures/transfer), margin loan create/repay (/v1/margin/orders), and account/balance management. It requires API key/secret and HMAC signing to perform these transactional endpoints. This is not a generic tool — its primary purpose is executing financial transactions on an exchange. Therefore it grants direct financial execution capability.