mochi-srs

The skill’s stated purpose and workflow are coherent for a Mochi flashcard assistant, and its credential/file scope is mostly proportionate. However, it depends on a bundled local CLI in the skill directory and forwards a Mochi API key to it without enough provenance in the provided material; that makes this suspicious from a supply-chain and credential-handling perspective rather than clearly malicious.