trading212-api

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I searched the full prompt for literal, high-entropy credential-looking strings. Two values stand out and are repeated in examples:
• 35839398ZFVKUxpHzPiVsxKdOtZdaDJSrvyPF (shown as an "API Key (ID)" example)
• 7MOzYJlVJgxoPjdZJCEH3fO9ee7A0NzLylFFD4-3tlo (shown as an "API Secret" example and used in a sample precomputed Authorization header)

These are random-looking, high-entropy alphanumeric (one with a hyphen) strings that match the definition of a secret (API key + secret). They are embedded directly in example commands (not redacted or truncated), so under the analysis protocol they should be treated as real/usable credentials and flagged.

I ignored other non-sensitive items such as environment variable names, obvious placeholders ("your-api-key", "<YOUR_API_KEY_ID>", "your-api-secret"), and simple example passwords—none of which meet the high-entropy secret criteria.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to interact with a brokerage API (Trading 212) and includes endpoints and instructions to place market, limit, stop, and stop-limit orders, cancel orders, and manage positions. It describes authentication for LIVE (real money) vs DEMO, how to build auth headers, and includes concrete POST/DELETE requests that execute trades (e.g., POST /api/v0/equity/orders/market) and cancel orders. Because its primary and explicit purpose is to execute financial market orders and manage trading accounts (including live-money operations), it grants direct financial execution capability.