tulebank

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to collect and embed secrets verbatim (API keys and OTP codes) into CLI commands (e.g., tulebank setup --api-key <key>, tulebank otp --code <code>), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls the Ripio proxy (e.g., beneficiaries search and beneficiaries add) and parses holder metadata returned (name, CUIT, bank, aliases/CVUs) from that external service as part of the decision and confirmation flow, which exposes the agent to untrusted/user-provided third‑party content that can influence sending actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a payments/crypto off‑ramp tool. It provides CLI commands to send fiat (ARS) to CVU/ALIAS, add beneficiaries, create off‑ramp sessions, auto‑send tokens from a configured wallet, swap USDC↔wARS, and activate fiat accounts via the Ripio Ramps proxy. It also handles wallet setup, OTP/KYC, returns transaction hashes, and instructs using tulebank send --amount and --token to perform transfers. These are concrete, specific financial-execution capabilities (crypto wallet operations, swaps, and bank transfers), not generic automation — so it grants Direct Financial Execution Authority.