haul

SUSPICIOUS. The core behavior is mostly coherent with a product-image collection skill, and it includes several proportional safety boundaries. The main concern is data-flow integrity: it mixes official APIs with SerpAPI, a third-party proxy that unnecessarily intermediates search traffic, while also enabling broad untrusted web ingestion, authenticated-session handoff, local writes, and downstream sharing. No evidence of malware or deceptive payload installation is present, but the skill has medium security risk due to third-party routing and agentic web-content handling.