k-skill-setup

SUSPICIOUS: the setup behavior is mostly aligned with its stated purpose, and consent gates reduce abuse risk, but the skill expands trust in two notable ways: transitive installation of the full bundle and default routing of many service requests through the publisher-hosted proxy instead of official APIs. This is not confirmed malware, but it carries medium security risk from supply-chain and data-flow centralization.