bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask users for OTPs/API keys and construct CLI commands or curl requests that embed those secrets verbatim (e.g., --code , --api-key bk_..., X-API-Key headers, BANKR_PRIVATE_KEY on the command line), which requires the LLM to handle and output secret values directly and poses exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly documents a built-in headless "Web Browsing" capability that opens arbitrary URLs and reads page content (e.g., "Go to this URL and extract the token contract address" and "Browse coingecko.com and get the top trending tokens"), so the agent will fetch and interpret untrusted public web/social content that can directly influence actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet API with built-in transaction capabilities. It documents wallet-level write endpoints (/wallet/transfer, /wallet/sign, /wallet/submit), CLI commands to transfer, swap, buy/sell tokens, place market/limit/stop orders, leverage trading, Polymarket bets, token deployment, LLM credit top-ups paid from wallet, x402 paid API calls with automatic USDC payments, and arbitrary raw transaction submission. These are specific, non-generic financial execution functions (sending funds, signing and broadcasting transactions, executing market orders), so it grants direct financial execution authority.