bitcoin-auth-diagnostics
Fail
Audited by Snyk on Jun 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill instructs parsing, logging, and printing full bitcoin-auth tokens and signature fields and includes client examples that accept a privateKeyWif, which would require the agent to handle and potentially echo sensitive authentication tokens or private key material verbatim — a high exfiltration risk.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly includes crypto signing operations and direct use of private keys. Examples show client-side token generation using getAuthToken({ privateKeyWif, ... }) and a "wallet connect" flow that uses a privateKeyWif and BSM/BRC77 signature schemes. It uses the bitcoin-auth library to create/verify signatures tied to wallet keys (crypto wallet signing). Those are specific blockchain/crypto wallet signing capabilities (private key handling), which under the policy count as Direct Financial Execution authority even if the examples focus on auth tokens rather than broadcasting transactions.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata