meteora

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that inline secrets (e.g., Keypair.fromSecretKey(/* your secret key */) and JUPITER_API_KEY = 'your-api-key'), which encourages embedding API keys/secret keys verbatim in code/commands and therefore risks secret exposure.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a DeFi SDK suite for Solana with explicit on-chain financial operations. It exposes functions and CLI commands that create pools, execute swaps, buy/sell on bonding curves, deposit/withdraw funds, stake/unstake, claim rewards/fees, fund rewards, migrate/liquify pools, and send signed transactions (e.g., dlmm.swap, cpAmm.swap, dbc.buy/sell, vault.deposit/withdraw, m3m3.stake/claim, zap.zapIn/zapOut, meteora-invent create/seed-liquidity commands). These are direct crypto/blockchain financial actions that move value and require wallet signing — i.e., direct financial execution capability.