veil

This skill is functionally coherent with its stated purpose (it needs to manage keys, query blockchain RPCs, and interact with Bankr). However it contains multiple supply-chain and credential-risk patterns: unpinned third-party installs (npm and GitHub clone + build), explicit instructions to execute local shell scripts, and direct handling of sensitive key files and a Bankr API key. Those factors create realistic exfiltration and credential-forwarding risks: a compromised or malicious @veil-cash/sdk or script could read VEIL_KEY or bankr config and send them to remote endpoints, or perform unauthorized transactions. The skill should only be used after code review of the installed SDK and scripts, pinning of dependencies or verifying build outputs, restricting network endpoints (allowlist), and preferring delegated/hardware signing rather than storing raw keys in files. Overall: not obviously malicious but materially risky — treat as high supply-chain/credential risk and require stricter controls before granting execution.