monetize-game

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to read and echo the user's Play.fun API key (e.g., via cat ~/.claude.json and echo "User API Key: $API_KEY"), substitute the actual key into an index.html meta tag, and offers a manual CLI paste method, all of which require handling and outputting secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for monetizing games via the Play.fun/OpenGameProtocol platform and includes concrete, non-generic integrations that enable token/wallet functionality: it instructs storing and using a user API key, calling the Play.fun API (POST https://api.play.fun/games), embedding the Play.fun browser SDK that exposes addPoints/savePoints (which sync buffered points to the server), and mentions "wallet connect for claiming rewards" and "Launch a playcoin for your game (token rewards for players)". Those elements are specific to crypto/token reward flows and wallet interactions (not just generic browser automation or HTTP calls), so this skill grants direct financial/crypto execution capability risk.