sn-da-image-caption

SUSPICIOUS. The skill’s core purpose and capabilities are mostly coherent for image captioning and data extraction, and there is no obvious malicious installer or unrelated credential grab. However, the unseen local script handles both image uploads and API credentials, the description contradicts itself about API-key requirements, and optional SN_VISION_BASE_URL permits routing images and credentials to arbitrary non-official endpoints. Overall risk is medium due to endpoint flexibility and unverifiable script behavior, not confirmed malware.