zerion-trails-deposit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples explicitly show passing a Trails API key as a string (e.g., apiKey="YOUR_TRAILS_API_KEY" and new TrailsApi('YOUR_TRAILS_API_KEY')), which encourages embedding secret API keys verbatim in generated code/commands and thus requires handling/outputting secrets directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to move crypto funds. It provides concrete blockchain/payment APIs and code to bridge tokens and deposit them into DeFi vaults on Polygon: Trails SDK (@0xtrails/api), TrailsApi.quoteIntent / commitIntent / executeIntent / waitIntentReceipt, useTrailsSendTransaction, widget/headless components, Zerion CLI wallet fund, and EIP‑712 signing (signIntent / signTypedData). It includes explicit transaction construction (ABI calldata, TRAILS_ROUTER_PLACEHOLDER_AMOUNT), token and vault addresses, chain IDs, and flows for quoting, committing, executing, and polling on-chain receipts. These are direct crypto/blockchain financial execution capabilities (bridging, signing, and submitting transactions), not generic tooling.