puda-workflows

SUSPICIOUS. The skill is broadly aligned with its stated purpose, but it enables real-world robotic actions, requires a third-party OpenRouter API key, and delegates to another skill (puda-memory). No obvious malware or credential harvesting pattern is present, but the physical-action scope and transitive trust make it medium risk.