xhs-sentiment-dashboard

SUSPICIOUS. The skill's purpose broadly matches its behavior, but it depends on a third-party hosted backend that receives both user links and API keys, and its installation path uses a transitive CLI/skills-add flow with limited provenance detail. This looks more like a vendor-hosted integration than overt malware, but the external credential routing and install trust chain make it medium risk.