wagmi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt hard-codes API endpoints with a "KEY" placeholder (https://.../v2/KEY), implying the agent/user will embed API keys directly into generated code/URLs (an explicit secret-in-output pattern), even though one connector uses an env var.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for building Web3 dApps and includes wallet connection, transaction signing, and contract write capabilities. The examples show connecting wallets (MetaMask/WalletConnect), using useWriteContract/writeContract to call ERC-20 transfer, and waiting for transaction receipts — i.e., sending signed on-chain transactions and transferring tokens. These are direct crypto/ blockchain financial execution capabilities.