top-rank-tokens-sniper

No direct malware/backdoor behavior is evident in this client-side fragment. However, it repeatedly inserts backend-provided strings into the DOM using innerHTML (positions, trades, roster, logs) without escaping or sanitization. This creates a high-impact DOM XSS risk if an attacker can influence the backend state/logs or the content stored and served to this UI. If not mitigated with strict backend-side sanitization and/or a CSP, this dashboard could be compromised via script injection and then potentially manipulate the app’s start/stop/mode/reset actions through user/browser context.

SUSPICIOUS: the skill is purpose-aligned, but it grants an AI agent autonomous cryptocurrency trading capability with real financial consequences. Install provenance for onchainos looks relatively coherent and same-org, lowering malware concern, yet the live-trading and wallet-delegation footprint makes the skill high security risk overall.