trader-explain

SUSPICIOUS: the skill’s core behavior matches its stated trading-attribution purpose, but it relies on an unpinned external npm CLI invoked through Bash and may expose trading-signal data to that third-party code. Key-file access is purpose-consistent for signing, and no explicit off-platform exfiltration is described, so this is not confirmed malicious; the main issue is supply-chain and credential/data exposure risk from the external CLI dependency.