upbit
Fail
Audited by Snyk on Jun 26, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt includes and even exemplifies passing access and secret keys inline (--access-key/--secret-key) and requires showing full commands for write operations before executing, which would cause the LLM to emit secret values verbatim if that insecure option is used.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill explicitly integrates with the Upbit exchange CLI and exposes authenticated private endpoints and write commands that can move funds and place market orders. Examples in the prompt include:
- orders create / cancel / cancel-and-new / cancel-by-uuids (place and cancel market/limit orders)
- withdraws create-withdrawal / create-krw-withdrawal / cancel-withdrawal (initiate withdrawals)
- deposits deposit-krw / create-coin-address (create deposit addresses)
- travel-rule verify-deposit... (verify transfers)
The skill documents how to supply API keys (config file, env vars, or inline per-command) which enables signed, authenticated actions. These are specific crypto/blockchain and market-order capabilities (not generic tooling), so the skill grants direct financial execution authority.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata