token-distribution

The skill's stated purpose of enabling compressed-token distribution for Solana airdrops is coherent with its described workflow and references. The footprint—credential handling (HELIUS_API_KEY, payer keypair), network calls to Solana RPC, and on-chain transactions—fits a legitimate token distribution tool. However, there are notable security concerns around credential management, potential transitive install behavior, and the need for explicit data-flow controls and secrets handling practices. Overall, the skill is SUSPICIOUS due to credential exposure risk and supply-chain aspects, but not clearly malicious without further artifacts. Implementers should apply strict secrets management, pin/verify dependencies, and limit filesystem/network scope before deploying.