pump-token-lifecycle

SUSPICIOUS. The skill is coherent in subject matter, but it enables autonomous cryptocurrency actions—token creation, trading, migration, and fee collection—which are inherently high risk for an AI agent. Install trust is mixed: the referenced SDK appears to be a community package from a personal GitHub account, not the official Pump package, though distribution is via npm rather than an opaque binary installer. No direct credential theft or exfiltration is evident, but the combination of real-money blockchain operations and reliance on a non-official SDK makes this a high security-risk skill.