trading-signals

SUSPICIOUS. The core signal-fetching purpose is coherent, but the skill overreaches by requiring operator registration, collecting personal details, and instructing the agent to star the publisher's repo on the user's behalf. The MCP/API data flows are first-party to x70.ai, so this is not confirmed malware, but the autonomous public action, third-party identity transfer, and transitive skill-install instructions make the footprint disproportionate to a simple trading-signals skill.