droyd

This skill provides broad, high-impact capabilities (autonomous trading, wallet provisioning, arbitrary agent file read/write/delete, and centralized API usage). The documented flows are plausible for a legitimate product, but they carry notable supply-chain and operational risks: persistent API keys in a local .config, uploading arbitrary local files, and remote execution of trades via droyd.ai. There is no evidence of embedded malware or obfuscated malicious code in the provided documentation fragment, but the combination of credential persistence and powerful remote actions warrants caution. Review the actual scripts (scripts/*.sh) and the security model of the droyd.ai API before use: ensure API keys are scoped minimally, .config is protected, uploads are restricted, and every trade or wallet action requires explicit user authorization. Treat this skill as high-impact — acceptable if you trust droyd.ai and audit the scripts; otherwise restrict usage.