bingx-dynamic-sl-tp

Fail

Audited by Snyk on Jun 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.80). The skill defines and requires using a signing function (fetchSigned) that takes apiKey and secretKey and instructs modifying the call parameters, which implies the agent will handle/insert API keys or secrets into generated code/requests and thus may need to expose them verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute trades on a crypto exchange (BingX). It includes concrete endpoints and methods for placing and cancelling orders (/openApi/swap/v2/trade/order POST to "Place conditional SL/TP order" and DELETE to cancel), a signed request helper (fetchSigned) that takes API key and secret and produces HMAC signatures, and execution steps that automatically cancel and place conditional stop-loss / take-profit orders. Those are direct market-order/conditional-order APIs for a crypto trading platform. Requiring user confirmation does not remove the fact that the skill is built to send signed trade requests and manage orders.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 03:46 PM
Issues
2
Security Audit — snyk — bingx-dynamic-sl-tp