bingx-spot-account

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's examples and required fetchSigned function take apiKey and secretKey as direct parameters and show them used in headers/signature, which forces the agent to supply secret values (or embed them in generated calls) to produce signed requests, creating a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for a crypto exchange (BingX) and exposes authenticated endpoints and concrete methods to move funds: POST /openApi/api/asset/v1/transfer (asset transfers between accounts), POST /openApi/wallets/v1/capital/innerTransfer/apply (internal P2P transfer), plus transfer-record queries and signed HMAC auth code (fetchSigned) for executing calls. The docs also include trading/order parameters (MARKET/BUY/SELL), indicating capability to place market/limit orders. This is a specific financial integration (crypto exchange APIs, signed requests, and explicit "execute transfer" flows with CONFIRM for prod-live), not a generic tool — therefore it grants direct financial execution authority.