proof

This skill is documentation for interacting with Proof's web API and a local macOS bridge. I found no embedded malicious code, obfuscated payloads, or download-and-execute supply-chain patterns. The main security concerns are operational: (1) the API creates shareable tokens and ownerSecret values and exposes token URLs (tokens in query strings) which can be leaked via browser history, referrers, shell history, or logs, and (2) example usage places tokens on command lines and environment which increases leakage risk. The local bridge surface on localhost:9847 is a normal design for a desktop app but means local processes can interact with the app if the machine is compromised. Overall there is no clear evidence of intent to exfiltrate data to attacker-controlled domains, but the token handling patterns raise moderate security risk and require careful operational practices (avoid tokens in URLs/command lines, rotate/revoke secrets, restrict local access).