alloy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes literal private key strings and shows creating signers from raw private keys/mnemonics (e.g., parsing "0x..."), which encourages embedding secret values verbatim in generated code/commands and poses a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly connects to and ingests data from public RPC endpoints and WebSocket URLs (e.g., ProviderBuilder.on_http/on_ws with examples like https://eth.llamarpc.com, Infura, Alchemy) and subscribes to logs/blocks/transactions (see SKILL.md and references/subscriptions-events.md and references/payment-verification.md), meaning it consumes untrusted, user-generated on-chain content which the agent is expected to interpret and act upon (payment listeners, verification, automated triggers).

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the literal private key in the first code sample because it is a high-entropy, directly present private key value that would be usable by a PrivateKeySigner:
• Found secret: "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" — hex private key parsed into a PrivateKeySigner.

This meets the "Private Keys" inclusion rule and is not a placeholder. (Note: this exact value is a commonly used local/dev private key in examples/tools, but that does not change that it is a real private key literal in the docs and should be treated as a secret.)

Ignored items and why:

• address!("0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48") — on-chain contract address (public), not a secret.
• Instances of "0x..." in other examples — clear placeholders, not real values.
• RPC URL "https://eth.llamarpc.com" — endpoint URL, not a secret credential.
• Other simple/example strings and comments — either placeholders or low-entropy example values, per the doc's ignore rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a blockchain transaction & wallet library: it documents signers (private keys, mnemonics, Ledger/Trezor, AWS/GCP KMS), provider.signer setup, and explicit APIs/examples to "send transactions", "Transfer Native ETH", "ERC-20 Token Transfer", provider.send_transaction(), token.transfer(), and payment verification/monitoring. These are specific crypto/blockchain capabilities to sign and send on-chain transfers (move funds) and manage wallets, which are direct financial execution functions.