swig-smart-wallet

This skill's stated purpose (create and manage Swig smart wallets, manage authorities, and optionally sponsor gas via paymaster or custom sponsor) aligns with the capabilities described. The main security concerns are credential and secret handling and the data flows to third-party endpoints: (1) storing private key material in plaintext agent-keypair.json is risky without recommending encryption or protected storage; (2) supplying a paymaster API key grants an external service the ability to sign/submit transactions (expected for that feature) but is a sensitive credential that must be protected; (3) use of an arbitrary custom sponsor URL sends full serialized transactions (base64) to that endpoint, which could be used to exfiltrate or misuse transaction contents if the sponsor is untrusted. There are no download-execute patterns, obfuscated code, or hidden backdoors in the provided instructions. Overall this skill is functionally coherent but carries moderate supply-chain and credential risk due to external signing endpoints and plain key storage; operators should ensure they trust the paymaster/sponsor services and use secure secret storage and explicit user consent before funding or delegating signing authority.