blockfill-agent-execution
Fail
Audited by Snyk on Jun 15, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include proxy endpoints with embedded credentials and internal/third‑party proxy hostnames plus a GitHub "official-skills" repo — the repo itself may be benign but routing signed exchange API traffic through unknown or unverified proxies (user:pass@host forms and sc-vpn.internal hosts) can expose API keys or enable MitM, so they should be treated as suspicious unless you verify control/trust of the proxy and inspect the repo code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading execution SDK/daemon that places orders on Binance Futures and OKX Swap. It exposes functions to set exchange API credentials, start a local daemon that signs orders, and a bf.place(...) API to submit execution "tickets" (maker/twap strategies) which create, supervise, cancel, and finalize exchange orders and change positions. This is a purpose-built tool to execute market/futures trades (send transactions) on exchanges, so it grants direct financial execution authority.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata