HederaToolbox

The skill implements a pay-per-call blockchain data service that uses a user's public Hedera Account ID as the sole authentication token ('api_key'). Because Hedera account IDs are public identifiers visible on any block explorer, this architectural flaw allows unauthorized third parties to potentially exhaust a user's pre-funded HBAR balance simply by knowing their account ID. While the skill does not exhibit intentional malicious behavior such as stealing private keys or local files, this weak authentication mechanism (SKILL.md) constitutes a significant security vulnerability.