midnightskill

No clear in-file malware is evident: there is no overt backdoor, credential theft, or browser exploitation code visible. However, the module loads an unspecified custom analytics dependency (/analytics.js) and makes telemetry/identity calls (including ensureGithubUsername and event tracking of page_view and copy_snippet) that could collect public GitHub identifiers and snippet-related content. Clipboard-copy functionality further amplifies privacy impact if snippets or telemetry are sensitive. Overall, treat the supply-chain/privacy behavior as needing review/audit of /analytics.js.

SUSPICIOUS. The skill is broadly coherent with its stated purpose as a full Midnight DApp generator, and its network endpoints appear proportionate to that purpose. However, it combines a remote curl|sh installer, wallet seed handling, Docker image execution, and autonomous blockchain transaction capability, which creates meaningful security risk even without clear malicious exfiltration.