Bitget Wallet Skill.Disabled

What to consider before installing: - Code review: Inspect the Python scripts (order_sign.py, order_make_sign_send.py, bitget_agent_api.py, x402_pay.py) yourself or have a trusted engineer review them for logging of secrets, hardcoded endpoints, or unexpected network requests. Don’t assume the SKILL.md statements about not logging mnemonics are enforced in code. - Protect keys: Treat the BIP-39 mnemonic/private keys as highly sensitive. Prefer using an external/hardware signer or a dedicated secret store that the agent cannot directly print or leak. Avoid passing raw private keys on CLI flags on multi-tenant or untrusted hosts. - Disable auto-update: The skill’s suggested behavior to re-install/replace local files from GitHub is convenient but risky. If you allow updates, restrict them to a vetted process (signed releases, CI-verified artifacts, or manual pull & review) rather than allowing the agent to overwrite code automatically. - Principle of least privilege: Only give this skill the minimum runtime permissions needed (network access to the documented API endpoints and read access to the secure storage holding keys). Do not run it with global filesystem or admin rights. - Human confirmation & auditing: Enforce an out-of-band confirmation step for any fund-moving action and keep an audit trail (what command ran, which orderId, which address, which key was used). Configure the agent so that signing cannot happen without an explicit user-confirmed CLI action. - Test in sandbox: Before connecting real funds, test the skill in a sandbox with watch-only addresses or testnet tokens to observe network behavior and confirm no unexpected endpoints are contacted (especially for x402 flows that may contact arbitrary facilitators). If you lack the ability to verify the scripts or enforce these controls, treat this skill as higher-risk and avoid providing real wallet keys or permitting autonomous signing.