a2a-wallet

The code snippet demonstrates a common but high-risk installer pattern: executing a remotely fetched script without integrity checks. This introduces potential supply-chain risk if the remote script is malicious or compromised. Users should prefer verified releases with hash/signature verification or package managers with pinned integrity when installing such software.

SUSPICIOUS. The skill is purpose-aligned and uses an official same-org distribution path, so it does not look like disguised malware. However, it gives an AI agent high-risk cryptocurrency and wallet capabilities, includes access to plain-file local keys, and uses an unpinned curl|sh installer; this makes it a high-security-risk financial skill even without clear malicious intent.