pipes-sdk

SUSPICIOUS. The skill’s overall behavior matches blockchain indexer development, but its most important capability is delegated to an unpinned third-party npm package whose publisher identity does not clearly align with the claimed skill author. That mismatch raises supply-chain trust concerns, though there is no strong evidence of credential theft, hidden exfiltration, or behavior fundamentally incompatible with the stated purpose.