lucid-agent-creator

This skill is primarily documentation for creating hosted Lucid agents and contains legitimate, expected capabilities: creating agents, configuring JS handlers, and performing payment-authenticated creation flows. It does not contain direct malware or obfuscated payloads. However, there are notable security risks: examples encourage handling raw private keys in code, payment signatures and wallet-derived artifacts are forwarded to platform endpoints, and handler network configuration can allow arbitrary outbound requests (including '*' wildcard) enabling potential data exfiltration. The presence of hardcoded third-party endpoints centralizes trust and increases impact if those endpoints are compromised. Overall this is not confirmed malicious, but it is a medium-risk skill that requires careful operational security (avoid embedding private keys, restrict allowedHosts, verify platform endpoints and signature verification practices).