injective-faucet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly contains code that prints and exposes the faucet private key (console.log('Private key:', wallet.privateKey)) and shows a literal FAUCET_PRIVATE_KEY in the env examples, which directs the agent to handle and reveal secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto "faucet" that programmatically sends INJ tokens using ethers.js and an injected faucet private key. It contains concrete code to construct and broadcast transactions (faucetWallet.sendTransaction), environment variables for FAUCET_PRIVATE_KEY, RPC endpoints, logic to top up balances, and instructions to recover and use public keys. This is a specific on-chain token-transfer capability (crypto/blockchain wallet transactions), i.e., direct financial execution.