thespawn

SUSPICIOUS: the core purpose is internally coherent for a web3 agent-registry skill, but the trust model is weakened by transitive skill installation, runtime `npx` execution of external tooling, and support for autonomous onchain/public actions. No clear credential theft or hidden exfiltration is visible from the provided content, so this is better classified as high-risk/vulnerable rather than confirmed malicious.