upbit

SUSPICIOUS. The skill’s capabilities fit a crypto-exchange integration, but its trust model is incomplete: it asks the agent to use a local `upbit` binary and forward exchange credentials without providing verifiable installer provenance in the supplied material. Real-money actions are in scope and partly mitigated by a CONFIRM step, while `--base-url` also allows authenticated traffic to be redirected. Main concern is unverifiable external CLI trust plus credential forwarding, not confirmed malware.