blave-quant

Fail

Audited by Snyk on Jul 7, 2026

Risk Level: HIGH
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I reviewed the skill docs for literal credential-like values. Most occurrences are environment variable names or placeholders (e.g., YOUR_API_KEY, YOUR_SECRET_KEY, YOUR_MEMO) or public/static broker/affiliate identifiers (e.g., BlaveData666666, GBN6HWR2, ZZDLtrXMF, BX-AI-SKILL) which are either non-secret headers or documentation examples and should be ignored.

However, CLAUDE.md contains two UUID-like strings embedded directly inside a Base64(HMAC-SHA256(...)) expression used for KC-API-PARTNER-SIGN:

  • "1c10e0c0-bc3e-4a18-ad53-e41e6df5f757"
  • "520815df-b324-4494-9bc8-b1015732b902"

These are high-entropy literal values used as HMAC keys in the example (i.e., the secret/key argument to HMAC). That fits the definition of a secret (a literal value used to generate signatures/provide access). Therefore they should be flagged. All other candidates in the docs were placeholders, public IDs, or low-entropy examples and are ignored per the rules.


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly provides trading and wallet-transfer capabilities across multiple named exchanges (BitMart, OKX, Bybit, Binance, Bitfinex, KuCoin, etc.), lists WRITE operations such as placing/modifying/canceling orders, opening/closing positions, submitting funding offers/loans, and performing wallet transfers, and requires API keys/.env credentials and a confirm-execute workflow. These are specific financial execution functions (market orders, transfers, funding), not generic tools—so it grants Direct Financial Execution Authority.

Issues (3)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 05:46 PM
Issues
3
Security Audit — snyk — blave-quant