autopredict

SUSPICIOUS: the skill is mostly coherent with its stated purpose and candid about upstream limitations, but it asks the agent to clone and execute an unpinned personal GitHub trading repo in a financial domain. Main concern is install trust and real-world action adjacency, not confirmed malicious behavior or credential theft.

This fragment is a standard setup/bootstrap wrapper, but from a supply-chain perspective it is security-sensitive because it fetches repository code from a (user-overridable) Git URL and then executes it via pip editable install and subsequent Python/CLI smoke-test commands. There is no cryptographic or commit/tag pinning verification, so an attacker who can influence REPO_URL content, redirect it, or tamper with the fetched repository (or interpreter selection) could cause arbitrary code execution during install/verification. No explicit malicious payloads are evident in this snippet itself; the risk is driven by unverified remote code execution.