skai-cli

SUSPICIOUS: the stated purpose is coherent and the Kenshoo/Skai domain relationship looks plausible, but the skill relies on an unpinned curl|sh installer for a proprietary CLI and then sends a sensitive API token through that opaque binary. There is no clear evidence of malicious intent or third-party credential harvesting, yet the install trust model and unverifiable executable materially raise risk.