album-art-director

SUSPICIOUS: The core skill behavior is coherent and mostly local, but it depends on an externally allowed MCP tool whose provenance and data handling are not verifiable from the provided evidence. No direct credential theft or malicious routing is shown, yet the unverifiable tool creates a significant supply-chain trust risk disproportionate to an otherwise simple documentation/prompting skill.