x2c-publish

The module primarily behaves like a legitimate authenticated CLI wrapper for remote distribution and wallet operations, but it does transmit a locally stored API key (and user-supplied content/transaction details) to a fixed external endpoint. The main security concerns are (1) possible path traversal/unintended credential file selection due to unsanitized `userId` used in credential path construction, (2) potential leakage of sensitive backend responses through verbose stdout/stderr logging, and (3) presence of an unused file upload helper that could enable arbitrary local file exfiltration if invoked elsewhere. No strong indicators of intentional malware are present in the shown code.

SUSPICIOUS. The publishing features are plausible, but the skill mixes content publishing with autonomous financial operations, asks users to paste API keys directly to the agent, stores those keys locally, and routes authenticated traffic through a Supabase endpoint despite inconsistent product-domain instructions. This is not confirmed malware, but it is a high-risk skill with weak credential hygiene and disproportionate financial capability.