opentrade-token

The skill footprint is coherent with token discovery and analytics, but it uses a high-risk download-execute installer from a non-verifiable source and relies on user-supplied credentials via a .env. This combination is suspicious and warrants caution: the installer could be tampered or poisoned, and credentials could be exposed if logs/logs redaction are not enforced. Overall assessment: SUSPICIOUS due to download/execute pattern and unverifiable dependencies, with elevated risk from credential handling and potential third-party CLI onboarding. If the installer were replaced with an officially signed package or a pinned, signed binary from a trusted registry, and credential handling was hardened (e.g., tokens fetched via a secure in-tool vault with scoped permissions), the risk would drop toward Benign.