bybit-v5

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs accepting plaintext API keys/secrets (via file), storing them in TOOLS.md, and provides example scripts and curl commands that embed API_KEY/SECRET_KEY and compute signatures — forcing the agent to handle and potentially output secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit crypto exchange integration (Bybit V5) with authenticated endpoints and signing instructions. It includes API operations to place/cancel/amend market and limit orders (/v5/order/create, /v5/order/cancel, batch order endpoints), manage positions and leverage, perform transfers and withdrawals (/v5/asset/transfer/universal-transfer, /v5/asset/withdraw/create, /v5/asset/withdraw/cancel), execute RFQ/trades (/v5/rfq/execute-quote), borrow/repay crypto loans, purchase/redeem leveraged tokens, and other account-altering actions. Authentication (API key + HMAC-SHA256 signing) and agent behaviors for performing mainnet POST transactions are explicitly documented. These are specific, purpose-built financial operations that can move funds and execute market orders — i.e., direct financial execution authority.