corbits-marketplace

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the user to export, copy, and paste an EVM private key into the corbits init prompt (and thus would require the agent to accept or handle the secret verbatim), which is direct secret handling/exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provisions and uses payment infrastructure: automatic per-request USDC micropayments via the x402 protocol, MoonPay as the payment/on‑ramp provider, and commands for creating/funding wallets, exporting private keys, buying USDC (mp buy), swapping tokens (mp token swap), creating virtual bank onramps, deposit links, token bridging, and auto top‑ups. The /corbits call flow auto-deducts USDC from the MoonPay wallet. These are specific financial operations (crypto wallets, swaps, payment gateway interactions, and transaction execution), not generic tooling, so the skill grants direct financial execution capability.