import-art

SUSPICIOUS: the core behavior is coherent and locally scoped for importing album art, with no evident credential harvesting or outbound data flow. The main issue is install/execution trust: the skill depends on an unverifiable external MCP tool (`bitwize-music-mcp`) with no established official provenance in the provided evidence, raising supply-chain risk disproportionate to an otherwise simple file-copy skill.