binance-auth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's examples and CLI usage explicitly show API keys and secrets passed as command-line flags and logged/printed (e.g., --key/--secret and console.log('API Key:', credentials.apiKey)), which requires embedding or echoing secret values verbatim and therefore enables exfiltration.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Binance (a cryptocurrency exchange) API authentication and key management. It securely stores API keys/secrets, supports production (real funds) and testnet environments, performs HMAC-SHA256 signing, and exposes APIs/CLI for connecting API keys, retrieving credentials, checking balances, and validating permissions (including canTrade and canWithdraw). This is a purpose-built crypto exchange integration (not a generic tool) that enables real trading/withdrawal when used with trading functions, so it constitutes direct financial execution authority.