deepcode-cli

SUSPICIOUS: the skill is broadly consistent with a terminal AI assistant, and its primary API endpoints are official provider URLs, but it expands trust significantly through runtime-installed MCP packages, credential forwarding, and optional arbitrary local scripts. The biggest concern is not overt malware but moderate supply-chain and data-handling risk combined with inconsistent publisher identity.