bankr-signals

SUSPICIOUS: the core API usage is mostly aligned with a trading-signals skill and uses consistent official endpoints, so this is not confirmed malware. However, the skill enables financially consequential autonomous behavior, recommends third-party managed signing with API keys, and most importantly instructs the agent to periodically fetch and follow external heartbeat markdown, creating a high prompt-injection and action-abuse risk.