bitflow
Fail
Audited by Snyk on May 20, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The prompt explicitly allows and documents passing a wallet password inline via
--wallet-password(a direct CLI secret argument) and does not prohibit embedding user-supplied wallet secrets verbatim, so the agent could be required to include sensitive values in generated commands or outputs.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill calls public Bitflow endpoints (the Bitflow BFF/public API via bitflowService.getTicker, getSwapQuote, getHodlmmPools/getHodlmmPoolBins, etc., as implemented in bitflow.ts and described in SKILL.md/AGENT.md) and directly consumes those responses to rank routes, compute price impact, and decide/execute swaps and keeper actions, so untrusted third‑party API content can materially influence agent decisions and tool use.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a decentralized-exchange (DEX) client with on-chain write operations: it can execute token swaps, add/withdraw liquidity, create/cancel Keeper automated swap orders, and returns transaction IDs and explorer URLs. Write operations require an unlocked wallet or wallet password, indicating signing/sending transactions on mainnet. This is a specific crypto/blockchain execution capability (sending transactions, managing funds, scheduling orders), not a generic tool.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata