wf-api-integration
Fail
Audited by Snyk on Jun 25, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires collecting sensitive values (WF Client ID, WF User ID, API URL, key file paths) and mandates filling them directly into generated WfConfig code (prohibiting placeholders), which forces the LLM to output those secret values verbatim in generated source.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to integrate with WorldFirst (WF) payment APIs and includes concrete, money-moving operations: createTransfer (WF account-to-account transfers), createPayout (payouts to third‑party bank accounts/e‑wallets), submitTradeOrder (trade/order uploads related to cross‑border settlement), plus related inquiry and notification endpoints for confirming fund movements. It also requires real WF credentials and RSA keys (WfConfig collects clientId, userId, private/public key paths), and test generation specifies real HTTP calls. These are specific financial execution APIs (not generic HTTP or browser tools) intended to initiate and manage payments, so it grants Direct Financial Execution Authority.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata