evm-wallet-skill

SUSPICIOUS. The skill’s capabilities match its stated wallet purpose, but it gives an AI agent direct authority over high-impact financial actions and requires local private-key handling. The install path uses mutable GitHub code plus npm dependencies without pinning, and swap functionality depends on a third-party aggregator. There is no clear evidence of credential theft or covert exfiltration in the provided skill text, but the combination of remote install, private-key use, and autonomous transaction tooling makes this a high-risk wallet skill.