bank-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly includes an "export-private-key" action that returns the wallet private key (a secret) verbatim and exposes a default keystore password in the prompt, so the agent would be required to output secrets directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and primarily designed to move money. It integrates with the Wise API (traditional banking) and includes explicit banking operations such as initiating transfers ("send" action), checking balances, and retrieving receive details. It also provides on-chain crypto capabilities (Base network + Uniswap) including creating wallets, exporting private keys, swapping ETH for tokens ("buy-token"), and sending ERC‑20/native tokens ("send-token"). These are specific financial execution functions (payment gateway/banking API use and crypto wallet/swap/send operations), not generic tooling.