blave-quant

Fail

Audited by Snyk on Jul 6, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill docs for literal values that look like real, usable credentials (high-entropy strings, API secrets, private keys, etc.). I only flagged values that are embedded as literal secrets used in HMAC/signing or similar auth flows.

Flagged (real secret-like values):

  • "1c10e0c0-bc3e-4a18-ad53-e41e6df5f757"
  • "520815df-b324-4494-9bc8-b1015732b902"

Why flagged: both are GUID-style strings embedded in the KuCoin Broker Attribution section as the secret inputs to HMAC calculations (KC-API-PARTNER-SIGN). They are high-entropy literal strings used as keys/secrets in signature generation — therefore they meet the definition of a secret.

Items inspected and explicitly ignored (not flagged), with reasons:

  • Many environment variable names (e.g., BINANCE_API_KEY, BITMART_API_SECRET, etc.): ignored because they are variable names/placeholders without values.
  • Placeholder values such as YOUR_API_KEY, YOUR_SECRET_KEY, YOUR_PASSPHRASE, YOUR_MEMO, etc.: documentation placeholders — ignored per rules.
  • Broker IDs / static headers / affiliate codes included in examples:
  • "BlaveData666666" (BitMart broker ID)
  • "BX-AI-SKILL" (BingX X-SOURCE-KEY)
  • "GBN6HWR2", "52DDFAFN" and their newClientOrderId prefixes (Binance broker IDs)
  • "ZZDLtrXMF" (Bitfinex affiliate code)
  • "Ue001036" (Bybit referer) These are identifiers or affiliate codes used in requests; they are not high-entropy secrets providing account access and are documented as required headers/IDs — therefore ignored.
  • Example/tracing strings like "a1b2c3d4-e5f6-7890-abcd-ef1234567890" or short illustrative tokens in response traces: treated as illustrative/test values, not active credentials.
  • Any truncated/redacted strings or explicit placeholders (sk-xxxx, YOUR_API_KEY, etc.): ignored per doc rules.

Conclusion: the two KuCoin GUIDs are literal high-entropy secret-like values present in the docs and should be treated as secrets; everything else is either a placeholder, a public identifier, or low-entropy and therefore ignored.


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly integrates with multiple crypto/exchange trading APIs (Binance, Bybit, OKX, Bitget, Bitfinex, KuCoin, BitMart, etc.) and defines WRITE operations for placing/modifying/cancelling orders, opening/closing positions, adjusting leverage, submitting/cancelling funding offers, and performing wallet/sub-account/fiat transfers. It specifies .env API keys, exchange endpoints, and a confirm-to-execute workflow — i.e., the skill is designed to send market orders and move funds. Although it requires an explicit "CONFIRM" safety step, the capability to execute financial transactions is explicit and direct.

Issues (2)

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 6, 2026, 12:00 AM
Issues
2
Security Audit — snyk — blave-quant