ClawCast Crypto Wallet: Keys, Balances & Transactions

The skill is classified as suspicious due to several risky behaviors, primarily the temporary storage of sensitive cryptographic material on disk. Specifically, `scripts/02_wallet.sh`, following instructions in `SKILL.md`, saves the mnemonic phrase to `~/.agent-wallet/mnemonic-words-*.txt` and a temporary private key to `~/.agent-wallet/privatekey.tmp`. While there's an attempt to delete the mnemonic file after an hour using the `at` command (which `scripts/02_wallet.sh` attempts to install via `sudo`), this creates a window of vulnerability. Additionally, `scripts/03_password.sh` persists the wallet password in a plaintext file (`~/.agent-wallet/pw.txt`) to enable non-interactive operations. These actions, while seemingly intended for the skill's functionality, introduce significant security risks by exposing sensitive data on the filesystem.