usdt-m-futures

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires constructing signed authenticated requests (including AccessKeyId and appending the Signature) and accepts raw API/secret files, which forces the agent to handle and potentially output secret values verbatim (API keys/signatures) despite masking rules for display.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with a crypto derivatives exchange (HTX) and includes authenticated endpoints and instructions for executing live trading and fund movements. It requires API key/secret and HMAC signing, and documents transaction endpoints such as placing orders (POST /linear-swap-api/v1/swap_order, /swap_cross_order, swap_batch_orders, trigger and trailing orders), cancelling orders, lightning close, switching leverage/position mode, and transferring funds between accounts (POST /linear-swap-api/v1/swap_transfer, /swap_master_sub_transfer). These are concrete market-order and transfer operations — not generic API callers or browser automation — and therefore grant direct financial execution capability.