upbit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly documents and permits passing access and secret keys inline (e.g., --access-key/--secret-key) and requires showing full commands before write operations, which encourages embedding secrets verbatim in generated commands and thus creates high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an explicit CLI integration for the Upbit crypto exchange and exposes authenticated write endpoints for financial actions: creating/cancelling orders (market/limit/best), withdrawals (create/cancel), deposits, and account/api-key management. It requires API credentials and documents commands like orders create, withdraws create-withdrawal, deposits deposit-krw, etc. These are specific, non-generic financial execution operations (placing market orders and moving funds), so it grants Direct Financial Execution authority.