shioaji

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's code examples show API keys, secret keys, and CA passwords being passed as literal string arguments (e.g., api.login(api_key="YOUR_API_KEY", secret_key="YOUR_SECRET_KEY")), which would require the agent to accept and embed secrets verbatim into generated code or commands.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit trading API (Shioaji) for Taiwan markets. It documents account login with API keys and certificate activation, account objects, and direct order operations: api.place_order, api.update_order, api.cancel_order, order types (market/limit), futures/options/stocks trading, and account/position queries. These are specific tools to send financial transactions (place/modify/cancel market orders), so it grants direct financial execution capability.