portfolio

The skill’s stated purpose and capabilities are broadly aligned: a read-only wallet portfolio command for Starknet. The main risk is install/execution trust from invoking an unpinned third-party CLI via `npx @latest`, plus opaque handling of authenticated session data. No clear evidence of malicious intent or disproportionate permissions is present, but the runtime dependency model makes this better classified as suspicious than fully benign.