nano-sign-message

SUSPICIOUS: the core purpose is coherent, but the skill couples sensitive signing operations with dynamic execution of an unpinned npm package whose official provenance was not verified in the provided evidence. The MCP tool path appears proportionate; the CLI --key path is the main risk because it hands raw private keys to remotely resolved code.