hermetica-yield-rotator

SUSPICIOUS: the skill is coherent for a DeFi yield rotator and the MCP install path appears publisher-consistent, so this is not clear malware or credential theft. However, it enables autonomous real-world financial actions, is non-user-invocable, depends on an external unpinned MCP package, and can output commands that move funds; that makes it high security risk even though its purpose and data flows are largely consistent.