aicoin-exchange-trading

The package manifest declares typical and expected behavior for an exchange-trading skill using CCXT. The highest risks are operational: the ability to execute financial actions (orders, transfers) and the presence of secrets in environment variables. There is no evidence in the provided manifest of explicit malware, obfuscated payloads, or external exfiltration endpoints, but the absence of the actual script (scripts/exchange.mjs) prevents ruling out credential leakage, unsafe evaluation of CLI JSON, or hidden network calls. Before trusting this code with real funds: (1) audit scripts/exchange.mjs for secret handling, unsafe eval, and unexpected network sinks; (2) restrict API key permissions (no withdrawals, minimal trading scopes); (3) pin and verify ccxt and transitive dependencies; and (4) require interactive confirmations or dry-run modes for destructive actions.