openydt-coupon

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to embed plaintext credentials and sensitive fields verbatim into CLI commands and follow-up requests (e.g., --password / --trader-password and using prior responses as command arguments), which forces the LLM to handle secrets in its output and creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). 本技能不是单纯的浏览或通用 API 调用，而是专门用于“电子券与商家域”的业务，明确包含将券“售卖给商家”的写入接口并携带金钱字段与交易标识（如 sell-coupon 命令，含 --sell-money、返回 sellBillId、--transation-num 等）；文档还明确了金额单位（元）、结算类型（balanceType）与幂等交易号。sell-coupon / create-coupon 等命令的主要语义是记录/执行售券交易（产生账单/交易编号），属于明确的资金/交易执行操作，因此应视为直接金融执行能力风险。