Crypto Self-Learning

The package implements local trade logging, analysis, rule generation, and a memory-update feature which aligns with the 'self-learning' description. However the manifest/SKILL.md declares 'jq' as a required binary while none of the provided Python scripts call jq. The SKILL.md references a weekly_review.py script that is not present in the file manifest (missing file). These are inconsistencies (likely sloppy packaging) but not themselves malicious.

Runtime instructions direct the agent/user to run local Python scripts that read/write files under the skill's data directory and to call update_memory.py with an arbitrary --memory-path. update_memory.py will open, modify and overwrite whatever file path you provide (commonly agent MEMORY.md), thereby injecting auto-generated 'learned rules' into agent memory. The instructions also mention a weekly_review.py (not included). There are no network calls in the scripts and no access to other system credentials, but the ability to append content into an agent memory file can materially change agent behavior and should be treated as a high-impact action.

No install spec is provided (instruction-only with local Python scripts), so nothing arbitrary will be downloaded or installed by the registry. This is low-risk. Note: metadata lists 'jq' as required but the code doesn't use it—remove or correct this requirement.

The skill requests no environment variables or external credentials. All data is read/written to local files (data/trades.json and data/learned_rules.json). This is proportionate to the stated purpose.

The skill does not request always:true and does not modify other skills' configs. However, update_memory.py intentionally writes to an arbitrary MEMORY.md path supplied by the user. That gives the skill the ability to inject content into an agent's memory/persistent configuration if the user points it there — a normal feature for this use-case but a behavioral privilege that can influence agent decisions.