config

SUSPICIOUS: The skill’s stated purpose matches its capabilities, but it relies entirely on an unpinned external npm CLI (`npx starkfi@latest`). That creates meaningful supply-chain risk, and RPC URLs with embedded provider keys may be exposed to the CLI. No clear malicious or exfiltration behavior is shown in the skill text itself.