metengine-data-agent

SUSPICIOUS. The core functionality matches the stated purpose of paid analytics access, and the main dependency (`mppx`) appears to be a legitimate public npm CLI rather than an unverifiable binary. However, the skill authorizes real USDC spending through an external CLI and remote payment flow, with no per-request approval safeguard and reduced transparency due to anti-discovery instructions. This is high security risk for autonomous agents, but not confirmed malware.

SUSPICIOUS. The skill is broadly coherent with its stated crypto-analytics purpose, but it authorizes an AI agent to create/fund a wallet and spend real USDC on requests via an external CLI. That makes it high risk from an autonomy and financial-action perspective even without clear evidence of malware or deceptive exfiltration.