Skill Trust Decision
chinese-bank-forex-rates
SKILL.md declares forex rate fetching with a node index.js invocation, but no implementation code (index.js) exists in the repository—creating a significant doc-to-code mismatch.
Most direct threat evidence
01
Skill published with SKILL.md claiming forex rate fetching capability reconnaissance · SKILL.md
02
No implementation code (index.js) delivered despite documented invocation delivery · N/A
03
Cannot determine actual functionality—skill is incomplete or code was withheld uncertainty · N/A
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill published with SKILL.md claiming forex rate fetching capability
reconnaissance · SKILL.md:1
02
No implementation code (index.js) delivered despite documented invocation
delivery · N/A
03
Cannot determine actual functionality—skill is incomplete or code was withheld
uncertainty · N/A
What drove the risk score up
Missing implementation +30
SKILL.md invokes 'node index.js' but no index.js file exists in the repository
Doc deception +20
Skill claims to fetch Chinese bank forex rates but provides no code to do so
Most important evidence
High Doc Mismatch
Missing implementation file
SKILL.md declares the skill fetches Chinese bank forex rates and shows an invocation command 'node index.js --bank ...', but no index.js file exists in the repository. The only files present are SKILL.md and package.json.
SKILL.md:48 Request the full implementation code before using this skill. A published skill with no code is either incomplete or potentially malicious placeholder.
Medium Doc Mismatch
Repository claims executable code
package.json and SKILL.md reference Node.js execution (engines.node: '>=18.3' and 'node index.js' command) but no JavaScript source files are present. This creates uncertainty about what the skill actually does.
package.json:9 Verify the repository contains all necessary source files. An npm package with no actual code is non-functional and suspicious.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Network Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Shell Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Environment Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Skill Invoke Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Clipboard Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Browser Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Database Pass
Declared NONE
→ Inferred NONE
No code files present to analyze Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 62 lines
Markdown 1 files · 48 linesJSON 1 files · 14 lines
Files of concern · 2
SKILL.md Missing implementation file
package.json Repository claims executable code
Security positives
No credential theft patterns observed (no code to analyze)
No network exfiltration detected (no code to analyze)
No obfuscation techniques found (no code to analyze)
No sensitive file access attempted (no code to analyze)
package.json has MIT license and links to a public GitHub repository
No environment variable harvesting observed