bybit-futures

The manifest/documentation claims a legitimate and high-risk capability (placing high-leverage futures orders with DB tracking). No implementation code is provided, so there is no direct evidence of malware, but there are significant supply-chain red flags: inconsistent gate declarations (missing BYBIT_API_SECRET), lack of explicit endpoints or DB details, and no least-privilege guidance. These gaps materially increase the risk that a real implementation could exfiltrate credentials or route trades through malicious proxies. Treat this artifact as SUSPICIOUS and require a full code and deployment review (network endpoints, DB access, secrets handling, and runtime telemetry) before trusting or running it against real funds.