Bsc Dev Monitor Skill

The skill bundle contains multiple instances of hardcoded sensitive credentials, including a ClawHub account email and password (hefang080@gmail.com / hefang198511633), a SkillPay API key, and a BSCScan API key. These are found in auto-deploy.js, DEPLOYMENT-GUIDE.md, READY-TO-DEPLOY.md, and the various index.js versions. While the core logic for monitoring BSC wallet activity appears to align with the stated purpose, the inclusion of these secrets and the presence of an automated deployment script (auto-deploy.js) using them is a significant security risk. No evidence of intentional data exfiltration or malicious behavior targeting the user was identified.