bap-identity

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill repeatedly shows and instructs embedding plaintext passwords/passphrases directly into CLI commands and examples (e.g., --password, -p "password"/"strongpass"/masterpass), which would require the LLM to handle and output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Bitcoin identity and wallet backup management. It includes commands and APIs to create identities (producing root private keys and xprv), extract member backups containing WIF/private key material, decrypt/re-encrypt backups, and programmatic access to identity keys. These are concrete crypto/wallet management capabilities (handling private keys and wallet backups), which meet the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for direct financial execution risk.