browser-strategy-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's instructions repeatedly show and require embedding credential values directly into browser_fill calls (e.g., value="password", "new_api_key", "correct_secret") and prompt the agent to perform login/API key updates, which forces the LLM to handle/output secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for managing trading strategies in the OpenAlgo web UI: it automates enabling/disabling strategies, starting/stopping them, and updating broker API keys and secrets (e.g., BROKER_API_KEY / BROKER_API_SECRET). Those actions are specific to trading infrastructure and directly enable or restore an agent's ability to execute market activity via broker/exchange integrations. This is not a generic browser tool — it is explicitly designed for financial operations and can cause transactions to be sent when strategies run, so it constitutes direct financial execution authority.