mesh-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets directly (e.g., BlockfrostProvider('your-api-key') and an inline mnemonic array), which would require the model to place API keys or mnemonic words verbatim into generated code — an insecure pattern.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Cardano wallet integration with APIs to create, sign, and submit blockchain transactions. It exposes headless server-side wallets (from mnemonic/private keys), transaction signing methods (signTx, signTxReturnFullTx, signData), and submitTx which returns a transaction hash. These methods and headless wallet capabilities are specifically designed to move cryptocurrency funds on-chain (including multi-signature workflows), so it is direct financial execution authority.