blucli

SUSPICIOUS. The skill's described functionality (BluOS device discovery/control) is coherent with its stated purpose. However, it relies on installing an unverifiable binary from a GitHub module (@latest) without checksums or a trusted registry, which introduces a significant supply-chain risk and potential credential/data exposure risk if the binary is compromised or malicious. The data flows to local device endpoints are normal for this purpose, but the install/execution path is not trustworthy. Recommend replacing with an officially published, signed binary or container image from a trusted registry, and include integrity checks (checksums/signatures) and version pinning.