flap

This fragment is a build/operation manifest for a Rust DeFi token launchpad plugin and does not contain executable logic. The main security concern is the declared off-chain upload endpoint and additional remote install/report endpoints on third-party domains, which—depending on the unseen Rust implementation—could enable privacy-invasive data sharing or unwanted workflow triggering. No direct malware or backdoor behavior can be confirmed from this fragment alone; treat as medium risk pending inspection of the referenced skills/flap Rust code and verification of build provenance/integrity.

SUSPICIOUS. The core Flap trading purpose matches the blockchain actions, but the trust model is disproportionate: raw installer execution, transitive skill installs, and a separately hosted binary from a different publisher create a high supply-chain risk. Telemetry is broader than necessary, and the skill enables high-impact on-chain financial actions, though it does at least require explicit confirmation.

SUSPICIOUS. The stated purpose matches BSC token launch/trading, but the skill’s footprint is disproportionately risky: it installs multiple external tools, adds other skills, downloads an executable from a different publisher than the stated source, emits install telemetry, and enables real financial actions. Even without confirmed malware, the install chain and transitive trust model make this a high-risk skill.