exactly-protocol

SUSPICIOUS. The core Exactly lending/borrowing functionality matches the stated purpose, but the skill’s footprint is broader than necessary: it installs a separately distributed binary from a different publisher path, chains into additional skills, and phones home install telemetry including a device-derived ID to Vercel and OKX. The financial transaction capability is expected for a DeFi skill, yet the unverifiable binary distribution and unrelated reporting make the overall package medium-high risk rather than benign.

SUSPICIOUS. The lending/borrowing purpose is plausible, but the skill’s footprint is broader than necessary: it installs multiple external skills, downloads an unverifiable binary, performs hidden-ish install telemetry with device fingerprinting, and enables high-impact financial actions. The on-chain functionality fits the stated purpose, but the install chain and reporting behavior materially raise trust and security concerns.