vara-eth-app-builder

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly shows a CLI pattern that passes a private key as a command-line argument (ethexe key keyring import --private-key ...), and it instructs keeping private-key placeholders explicit, which encourages embedding secrets verbatim in generated commands and thus poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly requires obtaining and running the ethexe binary (e.g., via git clone https://github.com/gear-tech/gear.git or downloading https://get.gear.rs/#vara-eth) and fetching the sails-js package (https://github.com/gear-tech/sails/releases/download/js/v1.0.0-beta.1/sails-js.tgz), all of which are fetched at runtime and would execute remote code as required dependencies for the flows.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly describes blockchain transaction and wallet operations: importing a sender private key via ethexe, running transactions with --ethereum-rpc/--ethereum-router and --sender, uploading code, creating programs, topping up executable/native/wVARA balances, initializing programs, and calling ABI/ethereum transactions. It references specific crypto tooling (ethexe CLI, Solidity ABI, Vara.eth, wVARA) and procedures that send funds/state-changing transactions and require signing keys. These are explicit crypto/financial execution capabilities (wallet management, signing, sending funds/transactions), so it meets the Direct Financial Execution definition.