wf-api-integration

Fail

Audited by Snyk on Jun 25, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires collecting sensitive values (WF Client ID, WF User ID, API URL, key file paths) and mandates filling them directly into generated WfConfig code (prohibiting placeholders), which forces the LLM to output those secret values verbatim in generated source.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to integrate with WorldFirst (WF) payment APIs and includes concrete, money-moving operations: createTransfer (WF account-to-account transfers), createPayout (payouts to third‑party bank accounts/e‑wallets), submitTradeOrder (trade/order uploads related to cross‑border settlement), plus related inquiry and notification endpoints for confirming fund movements. It also requires real WF credentials and RSA keys (WfConfig collects clientId, userId, private/public key paths), and test generation specifies real HTTP calls. These are specific financial execution APIs (not generic HTTP or browser tools) intended to initiate and manage payments, so it grants Direct Financial Execution Authority.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 25, 2026, 09:54 PM
Issues
2
Security Audit — snyk — wf-api-integration