fabric

The Fabric skill's stated purpose as a multi-provider AI prompt orchestration CLI is largely coherent with its capabilities and intended workflows (stdin/stdout piping, pattern library, multi-provider routing, REST API mode). However, there are notable security concerns: (1) installer via curl | bash from a raw GitHub URL introduces unverifiable code and supply-chain risk; (2) API keys and model configuration are required but not accompanied by explicit secure storage/rotation guidance; (3) extensive outbound data flows to multiple providers depend on proper data governance and consent; (4) the REST API surface increases attack surface if not properly secured. The overall footprint is borderline benign but leans toward suspicious due to the installation approach and broad data-exchange capabilities without clearly stated safeguards. Recommendation: treat as SUSPICIOUS until the installer is replaced with a verified, signed binary or a package from an official registry, and until explicit security controls for credentials, data consent, and API access are documented.