Security: 3 CRITICAL risks detected in bankr skills — AgentWard scan report

Hi Bankr team,
I've been running <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://github.com/agentward-ai/agentward">AgentWard</a>, an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you.
Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH
The three CRITICAL findings are:
<ul class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3">
<li class="whitespace-normal break-words pl-2"><code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">bankr:polymarket_betting</code> — financial operations with credential access</li>
<li class="whitespace-normal break-words pl-2"><code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">bankr:token_deployment</code> — financial operations with credential access</li>
<li class="whitespace-normal break-words pl-2"><code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">bankr:arbitrary_transactions</code> — financial operations with credential access</li>
</ul>
The core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:
<hr class="border-border-200 border-t-0.5 my-3 mx-1.5">
<h1 class="text-text-100 mt-3 -mb-1 text-[1.375rem] font-bold">AgentWard Scan Report</h1>
Generated: 2026-02-23 18:55 UTC
AgentWard version: 0.2.4
Tools scanned: 10
<blockquote class="ml-2 border-l-4 border-border-300/10 pl-4 text-text-300">
🔴 3 critical · 🟠 7 high
</blockquote>
<h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Permission Map</h2>
<div class="overflow-x-auto w-full px-2 mb-6">
Source | Tool/Skill | Capabilities | Risk | Why
-- | -- | -- | -- | --
Skill | bankr:trading_operations | read,write,read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:portfolio_management | read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:market_research | read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:transfers | read,write,read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:nft_operations | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:polymarket_betting | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk
Skill | bankr:leverage_trading | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:token_deployment | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk
Skill | bankr:automation | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:arbitrary_transactions | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk

</div>
<hr class="border-border-200 border-t-0.5 my-3 mx-1.5">
Recommended fix for the three CRITICAL skills:
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
For skill developers: Adding a <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">## Security</code> section to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.
I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.Hi Bankr team,
I've been running [AgentWard](https://github.com/agentward-ai/agentward), an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you.
Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH
The three CRITICAL findings are:

bankr:polymarket_betting — financial operations with credential access
bankr:token_deployment — financial operations with credential access
bankr:arbitrary_transactions — financial operations with credential access

The core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:

AgentWard Scan Report
Generated: 2026-02-23 18:55 UTC
AgentWard version: 0.2.4
Tools scanned: 10

🔴 3 critical · 🟠 7 high

Permission Map
SourceTool/SkillCapabilitiesRiskWhySkillbankr:trading_operationsread,write,read⚠️ HIGHFinancial operations — value transfer riskSkillbankr:portfolio_managementread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:market_researchread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:transfersread,write,read⚠️ HIGHFinancial operations — value transfer riskSkillbankr:nft_operationsread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:polymarket_bettingread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:leverage_tradingread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:token_deploymentread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:automationread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:arbitrary_transactionsread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer risk

**Recommended fix for the three CRITICAL skills:**
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
**

[agentward-report.md](https://github.com/user-attachments/files/25497953/agentward-report.md)

**: Adding a ## Security section to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.
I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: 3 CRITICAL risks detected in bankr skills — AgentWard scan report #182

AgentWard Scan Report

Permission Map

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: 3 CRITICAL risks detected in bankr skills — AgentWard scan report #182

Description

AgentWard Scan Report

Permission Map

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions