bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask users for secrets (OTP, API keys, private keys) and to construct/run commands that embed those secrets verbatim (e.g., --code , --api-key bk_..., -H "X-API-Key: ...", BANKR_PRIVATE_KEY=0x...), which is high-risk secret handling.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly enables a built-in headless web browser and shows required workflows that open and read arbitrary public web pages and social feeds (see the "Web Browsing" section and examples like "Browse coingecko.com" and "Go to this URL and extract the token contract address", plus public tweets in references/agent-profiles.md), so the agent will ingest untrusted third‑party content that can materially influence subsequent tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet controller. It exposes Wallet APIs (/wallet/transfer, /wallet/sign, /wallet/submit), CLI commands (bankr wallet transfer, bankr wallet sign, bankr wallet submit), trading features (token swaps, limit/stop-loss orders, leverage trading, bridge/cross-chain, market orders), token deployment, Polymarket betting, LLM credit top-ups from wallet, x402 automatic USDC payments, and arbitrary raw transaction submission. These are concrete, purpose-built financial capabilities to move funds, sign transactions, and execute trades (not generic HTTP/browser tooling). Although keys can be made read-only by default, the skill explicitly supports read-write keys and flags to enable transaction execution. Therefore it grants direct financial execution authority.