maimai-hub

SUSPICIOUS. The skill’s core behavior matches its stated purpose, and visible network flows remain on maimai.cn, so it is not clearly malicious. However, it requires extracting authenticated session cookies, storing them in a local env file, and forwarding them into a local script whose code is not provided, which is a meaningful credential-handling and execution-trust concern.