plaid

The skill documentation for plaid-cli is internally consistent with its purpose: it requires Plaid credentials, stores tokens locally, and interacts with the Plaid API. I found no indicators of deliberate malicious behavior in the provided text (no obfuscation, no download-and-execute instructions, no third-party proxy endpoints). The primary security concerns are standard for API CLI tools: local storage of access tokens (~/.plaid-cli), a command that can print tokens to stdout (`plaid-cli tokens`), and relying on upstream GitHub code (supply-chain trust). Recommend ensuring strict file permissions for ~/.plaid-cli, avoiding use of commands that print secrets in automated contexts, and pinning/verifying the upstream release before installation.