using-khuym

SUSPICIOUS: the skill's orchestration behavior mostly matches its stated bootstrap purpose, and its repo writes are disclosed and user-gated. The main concern is install/execution trust: it depends on several external tools, with br and cm not clearly verifiable from the provided evidence, which triggers a high supply-chain risk floor even without direct evidence of malicious intent or credential theft.