onchain

SUSPICIOUS. The skill’s purpose is coherent, and the named upstream services are legitimate for crypto portfolio/tx lookups, but the core `onchain` binary is completely unverifiable from the skill text. Because this opaque CLI is entrusted with Coinbase/Binance secrets and other API keys, the skill carries high supply-chain and credential-forwarding risk even without direct evidence of malicious intent.