orderly-api-authentication

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains explicit code that logs and prints private keys, shows privateKey values passed directly into requests, and instructs displaying/storing raw private keys (e.g., console.log('Private Key (hex):', ...)), which requires the agent to handle or output secrets verbatim and thus is high risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly documents authenticated API flows for trading and funds movement: it shows how to register API keys with scopes including "trading" and "asset", provides a signAndSendRequest helper and examples that place orders (POST /v1/order), cancel orders (DELETE /v1/order), and submit withdrawals (POST /v1/withdraw_request). It also details withdraw and settle endpoints and nonce flows. These are specific, primary financial execution operations (placing/canceling market orders and initiating withdrawals), so it grants direct financial execution authority.