botchan

The botchan skill is a legitimate-sounding on-chain messaging CLI whose documented functionality (reading feeds, posting messages, registering topics) aligns with its purpose. There is no direct evidence in the provided documentation of malicious code, obfuscation, or hidden exfiltration routines. However, the documented operational patterns include high-risk practices for key handling (storing/passing raw private keys via env vars or CLI flags) and reliance on a third-party wallet service (Bankr) for transaction submission, which introduces trust and potential credential/transaction-forwarding risks. Allowing arbitrary RPC endpoints also enables users to point the tool at attacker-controlled nodes. Overall this appears functionally benign but operationally risky: treat private keys carefully, prefer encode-only + review, and validate third-party endpoints and installs before use.