portfolio

The skill's purpose and read-only wallet-portfolio behavior are broadly aligned, but it delegates core functionality to an unpinned third-party npm CLI (`npx fibx@latest`) with undocumented provenance and auth/session handling. That makes it suspicious from a supply-chain and session-forwarding perspective, though not overtly malicious based on the provided content.