nunchuk-wallet-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly references passing an extended private key via the --xprv flag and exporting backup material to stdout, which would require including secret key material verbatim in commands or output and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet management tool: it lists and inspects wallets, retrieves receive addresses, exports backups/descriptors, recovers wallets, and signs dummy PSBTs (including options to use stored keys, --fingerprint, or --xprv). These are crypto/blockchain wallet operations (key material handling and transaction signing). Even though the doc mentions dummy transactions cannot be broadcast, the presence of wallet export/recover and signing functionality is a specific crypto wallet capability that constitutes direct financial execution authority per the rules.