trader-portfolio

SUSPICIOUS: The skill's finance purpose mostly matches its capabilities, but it depends on runtime install/execution of a third-party npm CLI with only partially verified provenance and produces financially consequential rebalance guidance. No direct credential theft or clear exfiltration is shown, but the combination of Bash+npx and autonomous portfolio advice creates meaningful security and operational risk.