authenticate-wallet

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill repeatedly runs "npx fibx@latest", which at runtime fetches and executes remote code from the npm registry (e.g. https://registry.npmjs.org/fibx) and is a required dependency for the skill, so this is a runtime external dependency that executes remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for a crypto wallet: it provides CLI commands to import private keys (with local encryption), authenticate via Privy OTP, and is described as "required before any wallet operation (balance, send, trade, aave)". Private key import and session management for a blockchain wallet directly enables signing and executing crypto transactions. This is a specific crypto/blockchain capability (wallets/signing), not a generic tool, so it meets the "Direct Financial Execution" criteria.