openfin-setup
Fail
Audited by Snyk on May 27, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks the agent to retrieve or ask the user to paste an OpenFinance API key into the conversation and then use that exact key verbatim in request headers, which requires the LLM to handle a secret value directly and risks exfiltration.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for a finance backend and exposes crypto wallet integration: it requires an OpenFinance API key, instructs calling GET /agent/wallets (returns ethereum and solana wallet addresses), references Solana wallet being required for on-chain "Relay executes", and mentions an MCP tool get_wallet_addresses. These are specific crypto/wallet APIs (not generic tooling) and therefore grant direct financial/crypto execution authority.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata