trader-risk

SUSPICIOUS: the skill’s purpose and capabilities mostly align, but it relies on unpinned npm/npx execution of a not-fully-verified third-party trading CLI. No clear credential theft or exfiltration is present, yet the supply-chain risk is substantial enough to treat this as medium/high security risk rather than benign.