em-capture-idea

This skill's stated purpose (collect and save research material into an Obsidian Inbox) aligns with most of its capabilities: reading a local config, invoking a local Twitter/X CLI, and writing markdown files are proportionate to the function. The primary security concerns are operational rather than covert malware: (1) it executes a third-party CLI (bird) using the user's existing credentials and performs destructive operations (bird unbookmark) which modify the user's account; (2) it writes files into the user's Obsidian vault and includes remote embeds which can leak metadata when notes are opened; (3) it instructs installing third-party tooling via Homebrew, which is a supply-chain action. There is no evidence of obfuscation, hidden network exfiltration to attacker-controlled endpoints, or embedded malicious payloads. Overall the skill is functionally coherent but carries moderate security/privacy risk due to destructive account actions and file/network effects. Recommend clearly prompting for per-item confirmation before running unbookmark, documenting privacy implications of remote embeds, and ensuring the user explicitly consents to installation/execution of the bird CLI.