denario

SUSPICIOUS: overall footprint mostly matches a legitimate research-automation skill, and the main install path is coherent with official PyPI/GitHub project docs. Risk is elevated by unpinned dependencies, weaker package provenance, optional Docker use with mounted `.env` credentials, and unspecified external-content/literature-search handling; these are meaningful security concerns but not evidence of confirmed malware.