purposebot

The skill's requested credentials and runtime steps are consistent with an agentic payments/trust service; nothing indicates obvious misdirection, but it asks for highly sensitive keys and relies on runtime tooling/packages that are not fully declared.

This skill is coherent with its stated purpose, but it asks you to provide and manage highly sensitive data (your PURPOSEBOT_API_KEY and a private signing key). Before installing: (1) verify the publisher and the domain https://purposebot.ai independently (source is 'unknown' in the registry metadata), (2) prefer the dashboard-hosted key flow so PurposeBot hosts the JWKS if you don't want to host keys yourself, (3) never upload your private key to a public URL; JWKS should publish only public keys, not private material, (4) run the skill in an environment where you can limit file permissions and rotate/revoke keys quickly, and (5) ensure python's 'cryptography' library is available (the SKILL.md uses it but does not declare Python package requirements). If you are uncomfortable giving a private key or long-lived API keys, do not install or restrict the keys' permissions/expiry first.