bingx-dynamic-sl-tp
Fail
Audited by Snyk on Jun 19, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill defines and requires using a signing function (fetchSigned) that takes apiKey and secretKey and instructs modifying the call parameters, which implies the agent will handle/insert API keys or secrets into generated code/requests and thus may need to expose them verbatim.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to execute trades on a crypto exchange (BingX). It includes concrete endpoints and methods for placing and cancelling orders (/openApi/swap/v2/trade/order POST to "Place conditional SL/TP order" and DELETE to cancel), a signed request helper (fetchSigned) that takes API key and secret and produces HMAC signatures, and execution steps that automatically cancel and place conditional stop-loss / take-profit orders. Those are direct market-order/conditional-order APIs for a crypto trading platform. Requiring user confirmation does not remove the fact that the skill is built to send signed trade requests and manage orders.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata