BitSkins

This skill mostly does what it says (wraps the BitSkins REST and WebSocket APIs), but there are a few red flags you should address before using it with real funds or account keys: - Provenance: the package has no homepage or source URL. Ask the publisher for the code origin or prefer a skill published by a known/verified author. - Declared vs. actual requirements: the registry metadata lists no required env vars or binaries, but SKILL.md and scripts require BITSKINS_API_KEY and depend on curl (and optionally jq). Do not set an API key until the metadata is corrected. - Secrets handling: the helper script sends your API key in the x-apikey header; ensure your platform stores the key in a secure secret store (not a global shell profile). Prefer creating a scoped/ephemeral API key on BitSkins with minimal permissions for testing. - Test-read only first: start by calling non-destructive endpoints (e.g., GET /config/status/get or market search) to confirm behavior before attempting buys, withdrawals, or wallet operations. - Verify binaries and environment: confirm curl is available (the script will fail otherwise) and jq is present if you want pretty output. Ask the author to list these in the skill metadata so automated checks can validate runtime prerequisites. - Confirm 2FA workflow: the skill correctly requests fresh 2FA codes for sensitive endpoints — never allow the skill to store persistent 2FA codes. - Ask for an updated package: request that the publisher update registry metadata to declare BITSKINS_API_KEY as required, list required binaries, and provide a homepage or source repository. If they cannot or will not, treat the skill as untrusted. If you decide to proceed temporarily, use an account with no balance or an API key with limited permissions, and avoid any real financial or withdrawal actions until provenance and metadata are fixed.