xxyy-trade

SUSPICIOUS. The skill is internally coherent for a crypto-trading assistant and shows no classic malware signals such as third-party installers, hidden exfiltration endpoints, or credential theft to unrelated domains. However, it enables real financial transactions using a single bearer API key with wallet-spending authority, performs background wallet/API checks, and relies on XXYY API routes that were not independently verified in public official endpoint documentation. This makes it high-impact and moderately risky even without evidence of malicious intent.

SUSPICIOUS. The skill is largely aligned with its stated crypto-trading purpose and uses same-brand XXYY endpoints rather than an obvious third-party exfiltration service, so this is not confirmed malware. However, it grants an AI agent high-impact financial capability via a single API key that can both read and trade, includes silent onboarding and wallet auto-selection, and combines untrusted feed/social scanning with execution ability; overall this is a high-risk trading skill that should only run with strong user oversight.