polo-spot

SUSPICIOUS. The skill is purpose-aligned with Poloniex trading and uses the official Poloniex API directly, so there is no clear malware or proxy exfiltration pattern. However, it grants an AI agent high-impact financial capabilities, including withdrawals and transfers, and asks for raw credential file handling and local secret storage guidance, which makes the overall security risk high even without confirmed malicious intent.