portfolio

No direct malicious code is present in this markdown/spec file. However the skill requests many high-value credentials (including raw private keys) and implies persistent background syncing and storage. That combination is disproportionate unless the implementation enforces least-privilege (read-only keys), safe handling of private keys (prefer not to request raw wallet private keys), explicit use of official API endpoints, secure storage/encryption, and clear user guidance. Because implementation details are missing, treat the skill as SUSPICIOUS: acceptable if implemented with strict security controls, risky if implemented naively or if credentials are sent to third-party proxies. Recommend: (1) avoid requesting raw wallet private keys; use read-only API tokens or on-device signing; (2) require explicit documentation of API endpoints and data storage locations; (3) enforce least privilege and suggest credential scopes; (4) audit implementation for any network endpoints that are not the official vendor APIs before trusting it.