crypto-com-exchange

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires constructing signed private API request bodies that include the api_key and a signature derived from the secretKey (and instructs asking users for credentials), so the LLM would need to accept and embed secret values in generated requests, creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Crypto.com Exchange integration with authenticated private endpoints for trading and wallet actions. It includes APIs to create/cancel/amend orders (market/limit/advanced orders), create withdrawals, transfer between accounts, and manage balances/positions — all requiring API key + secret and HMAC signing. These are specific financial execution actions (placing market orders, withdrawals/transfers, managing positions), not generic tooling. Therefore it provides direct financial execution capability.