somnia-blockchain

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill contains raw RPC/curl examples and code that place the session "seed" directly in request bodies or client calls (e.g., "seed": "0x" and using seed in createSessionClient), which are patterns that would require the LLM to include secret values verbatim and therefore pose high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides blockchain wallet and transaction APIs and examples that allow sending value and executing on-chain trades: e.g. the @somnia-chain/viem-session-account exports (createSessionClient, sessionActions), the somnia_sendSessionTransaction JSON-RPC method and its curl example, client.sendTransaction and client.writeContract examples, and Zerion CLI mappings for zerion swap/zerion bridge and examples of firing trades and creating agent requests with payable deposits. It also instructs how to generate and manage session seeds and how to fund session addresses. These are specific crypto/blockchain primitives for moving money and executing transactions (wallets, transaction submission, swaps), so the skill grants direct financial execution capability.