xenodia

The skill is classified as suspicious due to two significant vulnerabilities related to sensitive credential handling and persistence. Firstly, the `SKILL.md` explicitly instructs the AI agent to persist sensitive Coinbase CDP API keys and wallet secrets in plaintext within the user's `~/.zshrc` file. This makes these critical credentials broadly available in every new shell session, significantly increasing their exposure. Secondly, the `xenodia_client.py` script stores the agent's local EVM private key in a plaintext file named `.xenodia_agent_key` within the skill's directory. While these actions are for the agent's stated functionality and convenience, storing private keys and API secrets in plaintext files and shell configuration files without explicit security measures (like restrictive file permissions) constitutes a high-risk vulnerability, even if not directly malicious in intent.