vhscli

SUSPICIOUS: the skill's media-analysis and generation behavior is broadly aligned with its stated purpose, but the trust model is weak. It mandates unpinned npx execution of a remote CLI, routes local files and prompts to server-side backends, and provides limited provenance or endpoint verification. This looks more like a high-trust third-party integration than overt malware, but the install and data-flow risks are non-trivial.