sorin-skill

SUSPICIOUS. The stated DeFi analysis purpose is plausible, but the footprint is not fully coherent: it sends credentials and user queries through a proxy gateway and includes an auto-update path that installs instructions from an unrelated repo (`okx/plugin-store`) via unpinned `npx`. This is high supply-chain and data-flow risk, but not confirmed malware.