auth-provider

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that instruct embedding API keys/secrets directly (CLI flags like --key/--secret and code samples with literal api_key_here/api_secret_here), which would require an agent to accept and output secret values verbatim, creating exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly manages API keys and OAuth credentials for financial services: it lists Binance as a supported provider, provides CLI and API functions to save/get Binance API keys, and exposes getBinanceClient('prod') (with example use of account info). Managing exchange API keys and returning a provider-specific client is a targeted integration with a crypto exchange (a financial API) that can be used to place orders, transfer funds, or sign transactions. It also includes QuickBooks (accounting) OAuth scopes. Because this is a specific, non-generic integration with financial providers (not just a generic HTTP or browser tool), it meets the criteria for Direct Financial Execution authority.