opentrade-dex-swap

The skill presents a coherent UX for a multi-chain DEX aggregator, but it relies on downloading and executing a remote installer (curl ... | sh) from a public raw URL without verifiable integrity checks, and it requires a user-supplied OPEN_TOKEN via a .env for API access. These factors create significant supply-chain and credential-exposure risks that are disproportionate to the stated purpose. The combination of remote code execution at install time, potential credential exposure, and external data flows warrants a SUSPICIOUS rating, with securityRisk score in the high range due to unverifiable dependencies and credential handling.