dflow-platform-fees

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly tells the agent to ask for the user's DFlow API key and indicates that the key is "plumbed" into the HTTP client as an x-api-key header (i.e., used directly in requests), which creates a clear path for the LLM to receive and/or emit the secret verbatim in generated code or commands.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly and specifically about collecting on-chain monetary fees: it defines API parameters (platformFeeBps, platformFeeScale, platformFeeMode, feeAccount) that cause the DFlow Trade API to transfer tokens to a builder-controlled SPL token account (ATA) on successful trades. It references settlement mints (USDC/CASH), SPL accounts, and required pre-existing fee accounts, and instructs how to configure the trade API and API key to enable these transfers. This is not a generic tool — its primary purpose is to move money (collect platform fees) via the trading/payment flows.