wallet-create-ordinals

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill shows passing private keys/WIF (e.g., <wif>, paymentPrivateKey) as direct CLI args and config fields, which would require the model to handle or emit secret key material verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly sends the user's private key (WIF) and the file content to an external remote wallet endpoint via createRemoteWallet(activeRemote = https://api.1sat.app/1sat/wallet) and inscribe.execute, which constitutes credential exposure and data exfiltration risk; no hidden eval/remote shells/obfuscation or other backdoor primitives were observed.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides blockchain wallet-backed transaction creation, signing, and broadcasting capabilities. It uses @1sat/actions to "inscribe.execute" (construct and broadcast inscription transactions) and requires wallet credentials (WIF/paymentPrivateKey, utxos, BRC-100 wallet). It also exposes token deployment via deployBsv21Token with paymentUtxos, paymentPk, initialDistribution and destinationAddress. These are specific crypto/blockchain operations (creating/sending on-chain transactions, minting tokens) — i.e., direct financial execution.