bitcoin-auth-diagnostics

Fail

Audited by Snyk on Jun 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill instructs parsing, logging, and printing full bitcoin-auth tokens and signature fields and includes client examples that accept a privateKeyWif, which would require the agent to handle and potentially echo sensitive authentication tokens or private key material verbatim — a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly includes crypto signing operations and direct use of private keys. Examples show client-side token generation using getAuthToken({ privateKeyWif, ... }) and a "wallet connect" flow that uses a privateKeyWif and BSM/BRC77 signature schemes. It uses the bitcoin-auth library to create/verify signatures tied to wallet keys (crypto wallet signing). Those are specific blockchain/crypto wallet signing capabilities (private key handling), which under the policy count as Direct Financial Execution authority even if the examples focus on auth tokens rather than broadcasting transactions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 16, 2026, 10:13 AM
Issues
2
Security Audit — snyk — bitcoin-auth-diagnostics