agentic-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's instructions and command templates (e.g., npx awal auth verify <otp> and auth login <email>) require embedding user-provided authentication secrets (OTP/email verification codes) verbatim into CLI commands, which would expose secrets in the agent's output — a direct exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes crypto wallet CLI commands that perform financial actions: sending tokens (npx awal send ), swapping/trading tokens (npx awal trade ), on-ramping/adding funds (fund/top-up), and paying x402 endpoints (npx awal x402 pay ). These are specific, purpose-built financial operations (wallet transfers, swaps, payments), not generic tooling. Therefore it grants direct financial execution authority.