moonpay-auth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs agents to read and embed sensitive values verbatim (mnemonics, private keys, OTP codes) into CLI commands (e.g., mp wallet import --mnemonic "...", --key , mp verify --code ), and even suggests autonomously extracting OTPs from email, which requires outputting secret values directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly installs and configures the MoonPay CLI and provides concrete commands to create and import local crypto wallets (mp wallet create, mp wallet import --key, mp wallet import --mnemonic), manage private keys, and authenticate the CLI (mp login / mp verify). These are crypto wallet management capabilities (private key import, wallet creation) that enable signing and moving funds. It also documents an autonomous login flow (reading OTP from email) that allows an agent to authenticate without human intervention. Because this is a specific crypto wallet tool (not a generic browser or HTTP caller) that directly enables blockchain wallets/keys and thus on-chain financial operations, it meets the "Direct Financial Execution" criteria.