button-play-apollo-skill

SUSPICIOUS. The skill’s actions fit its stated Vue component-integration purpose, and data flows stay within same-domain docs and registry endpoints. However, the core packages are served from a private registry with limited public provenance and unpinned installs, so the supply-chain risk is materially elevated even without evidence of overtly malicious behavior.