cartridge-rpc

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt demonstrates embedding API tokens directly in command-line headers (curl -H "Authorization: Bearer YOUR_API_TOKEN") and CLI examples that instruct including tokens in requests, which encourages the LLM to handle or output secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes dedicated Starknet RPC endpoints (mainnet and sepolia) with authenticated API tokens and CORS support. A blockchain RPC is a specific crypto-related API that can be used to submit transactions, interact with wallets/contracts, and perform on-chain value transfers. The presence of authenticated RPC endpoints and token management (and browser whitelisting) indicates explicit capability to execute blockchain operations, so this qualifies as direct financial execution capability.