botchan-net

This package will run a local postinstall script (scripts/postinstall.mjs) during installation and declares several dependencies via file: local paths. Running an automatically executed postinstall script is a potential vector for malicious activity — it must be inspected before trusting the package. The use of file: dependencies is a critical concern per the provided rules because they are resolved outside the npm registry and increase supply-chain risk. If you cannot inspect the postinstall script and the referenced local packages, treat installation as risky.

SUSPICIOUS. The skill's capabilities broadly match its stated blockchain-social purpose, but it is high risk because it grants an AI agent autonomous public posting and financial/on-chain transaction abilities, uses transitive skill installation, and can handle raw private keys through external CLIs.