Trading Coach

Name, description and reference docs consistently describe a CSV-based trading-replay/analysis tool (FIFO matching, scoring, insights). No declared env vars or unrelated binaries are requested — the requested capabilities align with processing CSVs and generating reports.

SKILL.md instructs the agent/user to git clone a third‑party GitHub repo and run Python scripts (import_trades.py, run_matching.py, score_positions.py, analyze_scores.py). That is within the functional scope (you need code to parse and score CSVs), but it delegates execution to external, unreviewed code and copies a config_template.py to config.py (which may lead to local secrets or configuration changes). The skill itself does not request credentials, but the instructions are sufficiently open-ended that the external repo could ask for or handle secrets or make network calls.

There is no declared install spec in the registry package, but the runtime instructions explicitly direct cloning an external GitHub repository and installing requirements via pip. That effectively instructs fetching and executing arbitrary third‑party code from an external source (user repo 'BENZEMA216/tradingcoach'), which is higher risk than an instruction-only skill that runs only built-in logic. The repo is hosted on GitHub (a known host) but is an unverified user repo — extract/run of arbitrary Python code is possible.

The skill declares no required environment variables, no credentials, and no config paths. For its stated purpose (CSV-based analysis) this is proportionate. Note: because SKILL.md instructs creating a config.py, the external repo might request API keys or other secrets — the package itself does not declare or require them.

The skill does not request 'always: true' or any persistent system-level privileges. It is user-invocable and allows model invocation (defaults). Nothing in the bundle indicates it modifies other skills or global agent settings.