bankr

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask users for OTPs and API keys and to construct/execute commands embedding those values (e.g., --code , --api-key bk_...), which requires outputting secrets verbatim and creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public, user-generated content (e.g., social sentiment analysis, OpenSea listings, and the GET /agent-profiles/:identifier/tweets endpoint that returns recent tweets) and describes workflows where the agent reads and acts on that data (market research, trading, automations, and x402 web discovery), so untrusted third‑party content can influence tool use and decisions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading and wallet API with built-in transaction execution. It exposes dedicated write endpoints and commands for moving funds (POST /wallet/transfer, /wallet/sign, /wallet/submit; CLI commands like bankr wallet transfer, bankr wallet submit), trading operations (token swaps, limit/stop/DCA/TWAP, leverage on Hyperliquid/Avantis), cross-chain bridging, Polymarket betting, x402 paid API calls with automatic USDC payments, and arbitrary raw transaction submission. The documentation also documents API keys with a read-write flag and examples that perform buys/transfers. These are specific, purpose-built financial execution capabilities (not generic I/O), so this skill grants direct financial execution authority.