li-fi-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed an API key directly in curl commands (e.g., -H "x-lifi-api-key: YOUR_API_KEY"), which encourages the agent to accept and output secrets verbatim in commands and thus poses a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a dedicated crypto/DeFi integration (LI.FI REST API) that explicitly provides endpoints for getting swap/bridge quotes, producing transactionRequest objects ready for execution, populating step transactions (/advanced/stepTransaction), submitting contract calls (/quote/contractCalls) and tracking cross‑chain transaction status. It is specifically designed to move tokens, perform swaps, bridges and DeFi operations (including building multi‑chain payment flows and executing transactions), not a generic tool. These are direct financial execution capabilities in the crypto domain.