synpress-e2e

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit private key literal in the .env example (TEST_PRIVATE_KEY) and shows commands that import that key, meaning the LLM would need to reproduce or handle the secret value verbatim.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). The file contains a high-entropy literal private key assigned to TEST_PRIVATE_KEY (starts with 0xac0974b...). Private keys are classified as secrets (usable credentials), so this is a real secret present in the documentation. It is labeled as a test key, but that does not remove its classification as a private key leak. No other high-entropy secrets (API keys, PEM blocks, etc.) are present; listed RPC URL, chain ID, and other strings are non-secret configuration.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for Web3 financial operations: it automates MetaMask wallet actions (importing a private key), network setup (RPC/chainId), transaction signing/confirmation (metamask.confirmTransaction with custom gas), token approvals (approveTokenPermission with spend limits), and multi-step DeFi interactions and on-chain state changes. Those are concrete crypto/blockchain capabilities that can initiate and approve on-chain transfers, so this grants direct financial execution authority.