send-usdc

[Skill Scanner] Backtick command substitution detected The document correctly describes a tool for sending USDC, but it instructs runtime execution of an unpinned remote package ('npx awal@latest'), which is a significant supply-chain risk when combined with the capability to sign and send real funds. I found no explicit malicious code in the provided manifest itself, but the distribution pattern and missing operational safeguards (unpinned installs, unspecified endpoints, ambiguous amount parsing, and lack of per-transfer confirmation) create a material security risk. Mitigations: require pinned version/checksum, document backend/RPC endpoints, minimize runtime code execution (install audited binary), enforce explicit per-transaction confirmations, and clarify amount parsing rules. Treat use of 'npx ...@latest' for financial actions as high-risk until mitigated. LLM verification: The skill's stated purpose (send USDC) matches the requested capabilities (wallet auth, ENS resolution, transaction submission). The main security concern is the delivery/execution model: invoking `npx awal@latest` downloads and runs unpinned code from npm every time, which is a high supply-chain risk when the tool has access to wallet credentials and can sign transactions. Documentation lacks clarity about RPC/endpoints and whether any credentials are transmitted to third-party servers. There a