Hi Bankr team,
I've been running AgentWard, an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you.
Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH
The three CRITICAL findings are:
bankr:polymarket_betting — financial operations with credential accessbankr:token_deployment — financial operations with credential accessbankr:arbitrary_transactions — financial operations with credential access
The core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:
AgentWard Scan Report
Generated: 2026-02-23 18:55 UTC
AgentWard version: 0.2.4
Tools scanned: 10
🔴 3 critical · 🟠 7 high
Permission Map
Source | Tool/Skill | Capabilities | Risk | Why
-- | -- | -- | -- | --
Skill | bankr:trading_operations | read,write,read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:portfolio_management | read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:market_research | read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:transfers | read,write,read | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:nft_operations | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:polymarket_betting | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk
Skill | bankr:leverage_trading | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:token_deployment | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk
Skill | bankr:automation | read,write | ⚠️ HIGH | Financial operations — value transfer risk
Skill | bankr:arbitrary_transactions | read,read,write | 🔴 CRITICAL | Financial operations with credential access — direct value transfer risk
Recommended fix for the three CRITICAL skills:
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
For skill developers: Adding a ## Security section to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.
I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.
Hi Bankr team,
I've been running [AgentWard](https://github.com/agentward-ai/agentward), an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you.
Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH
The three CRITICAL findings are:
bankr:polymarket_betting — financial operations with credential access
bankr:token_deployment — financial operations with credential access
bankr:arbitrary_transactions — financial operations with credential access
The core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:
AgentWard Scan Report
Generated: 2026-02-23 18:55 UTC
AgentWard version: 0.2.4
Tools scanned: 10
🔴 3 critical · 🟠 7 high
Permission Map
SourceTool/SkillCapabilitiesRiskWhySkillbankr:trading_operationsread,write,read⚠️ HIGHFinancial operations — value transfer riskSkillbankr:portfolio_managementread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:market_researchread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:transfersread,write,read⚠️ HIGHFinancial operations — value transfer riskSkillbankr:nft_operationsread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:polymarket_bettingread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:leverage_tradingread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:token_deploymentread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:automationread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:arbitrary_transactionsread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer risk
Recommended fix for the three CRITICAL skills:
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
**
agentward-report.md
**: Adding a ## Security section to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.
I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.
Hi Bankr team,
I've been running AgentWard, an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you.
Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH
The three CRITICAL findings are:
bankr:polymarket_betting— financial operations with credential accessbankr:token_deployment— financial operations with credential accessbankr:arbitrary_transactions— financial operations with credential accessThe core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:
AgentWard Scan Report
Generated: 2026-02-23 18:55 UTC AgentWard version: 0.2.4 Tools scanned: 10
Permission Map
Recommended fix for the three CRITICAL skills:
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
For skill developers: Adding a
## Securitysection to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.
Hi Bankr team, I've been running [AgentWard](https://github.com/agentward-ai/agentward), an open-source permission scanner and runtime enforcement layer for OpenClaw skills. I scanned the bankr skill set and wanted to share the findings directly with you. Summary: 10 tools scanned · 3 CRITICAL · 7 HIGH The three CRITICAL findings are:bankr:polymarket_betting — financial operations with credential access
bankr:token_deployment — financial operations with credential access
bankr:arbitrary_transactions — financial operations with credential access
The core issue: credential management and value-transfer operations share the same skill context. This means a crafted prompt — or a prompt injection from an external source — could trigger real financial transactions using stored credentials without any confirmation gate.
Full scan report:
AgentWard Scan Report
Generated: 2026-02-23 18:55 UTC
AgentWard version: 0.2.4
Tools scanned: 10
🔴 3 critical · 🟠 7 high
Permission Map⚠️ HIGHFinancial operations — value transfer riskSkillbankr:portfolio_managementread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:market_researchread⚠️ HIGHFinancial operations — value transfer riskSkillbankr:transfersread,write,read⚠️ HIGHFinancial operations — value transfer riskSkillbankr:nft_operationsread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:polymarket_bettingread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:leverage_tradingread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:token_deploymentread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer riskSkillbankr:automationread,write⚠️ HIGHFinancial operations — value transfer riskSkillbankr:arbitrary_transactionsread,read,write🔴 CRITICALFinancial operations with credential access — direct value transfer risk
SourceTool/SkillCapabilitiesRiskWhySkillbankr:trading_operationsread,write,read
Recommended fix for the three CRITICAL skills:
Separate credential management from financial operations into distinct skills. Credential-handling capabilities should not share a skill with value-transfer operations. This way even if a prompt injection reaches the agent, it cannot access credentials and execute transactions in the same context.
**
agentward-report.md
**: Adding a ## Security section to your SKILL.md documenting authentication requirements and value-transfer limits would also help AgentWard and other tools score your skill more accurately.
I'm not asking you to change anything — just flagging it in case it's useful. Happy to add a reference AgentWard policy for bankr users in our examples folder if that would help.