Bankr x402 SDK - Balance Queries

[Skill Scanner] Backtick command substitution detected This document itself is informational and not directly malicious, but it contains one important, suspicious practice: the example asks for a full private key to perform read-only balance and portfolio queries. That requirement is disproportionate and increases supply-chain risk. The documentation lacks transparency about network endpoints, key handling (local vs remote), package provenance, and safety guarantees. Recommendation: Treat the SDK as untrusted until you (a) inspect the @bankr/sdk source code or distributed package to verify it does not transmit private keys, (b) confirm endpoints and TLS/endpoint ownership, (c) prefer supplying only public addresses or read-only API keys for balance queries, and (d) consult package registry metadata/signature. Additional code-level review of the SDK and runtime network traces are required to raise confidence before use. LLM verification: No explicit malicious code is present in this SKILL.md fragment. However, the skill asks for a raw private key (BANKR_PRIVATE_KEY) which is disproportionate for many read-only queries and creates a high-risk credential exposure possibility. The documentation lacks details on where the SDK sends network requests and how the private key is stored/used. Without the actual SDK implementation or network endpoint details, this is suspicious from a supply-chain perspective and warrants further review o