us-market

SUSPICIOUS. The skill’s market-data purpose is coherent, but its runtime trust model is not: it hardcodes credentialed requests to an unverified private API on a raw IP over plain HTTP, with no verifiable publisher relationship or transport protection. This is not confirmed malware, but it is a high-risk data-flow and credential-handling pattern for an AI skill.