tase-stock-analysis

SUSPICIOUS. The skill’s stated purpose is legitimate and internally consistent, but its optional live-data path relies on an unpinned GitHub-installed MCP server whose provenance was not verified and to which it forwards a TASE API key. That makes the core concern install trust and credential forwarding rather than confirmed malicious behavior.