huashu-nuwa

SUSPICIOUS. The core behavior mostly matches the stated purpose of generating persona/framework skills, but the skill has a broad footprint: extensive ingestion of untrusted external content, autonomous multi-agent file-writing, and recommendations to use unstable third-party/shadow-library sources. `yt-dlp` itself appears legitimate and same-project verifiable, so this is not confirmed malware, but the overall workflow poses meaningful supply-chain and prompt-injection risk.