duckdb

The skill aligns with its stated purpose of enabling DuckDB-based local analytics and data workflows. However, it relies on a download-execute installer (curl | sh) from an external domain, which introduces supply-chain risk and requires trust in the source. This pattern, combined with multiple installation pathways and lack of explicit integrity verification, justifies a cautious assessment. The data flows are primarily local (no credential exposure or remote data transfer evident in the material), which is consistent with the described analytics focus, but the initial install path it espouses is the primary security concern. Overall verdict: SUSPICIOUS due to download-execute installer pattern; otherwise benign in data flow, but the install surface elevates risk.