frame-builder

The skill's stated purpose (launch and manage tokens) matches many of its instructions, but the SKILL.md asks the agent to create and store private keys, run git pulls/npm installs from an external repo, and autonomously perform claims — while no code files are provided to inspect — which is inconsistent and risky.

This skill is plausible for managing Frame/Base tokens, but it currently has two important red flags: (1) the SKILL.md expects a {baseDir}/src codebase (setup.js, heartbeat.js, claims.js, etc.) that is not included, and (2) it tells the agent to create and store a private key and to auto-update/pull code from git and auto-run claim operations. Before installing or enabling automation: 1) Do not run this against your main wallet — prefer a throwaway test wallet or hardware wallet; 2) Require the full source code (the {baseDir} scripts) and audit them yourself or have a trusted reviewer inspect them; 3) Disable automatic git pulls and npm installs until you confirm the remote origin and contents; 4) Disable automatic claiming (do not enable heartbeat --claim) and require manual approval for any transaction; 5) Verify RPC endpoints and where uploads (IPFS) actually go; 6) If you lack the ability to audit Node scripts, avoid granting this skill access to private keys or automated execution. If the author provides the missing source and a clear, auditable update mechanism (or a read-only monitoring mode), that would materially reduce risk.