huly-assist

SUSPICIOUS. The skill’s capabilities and required Huly credentials fit its project-management purpose, and no obvious third-party exfiltration endpoint is disclosed. However, install/execution trust is weak because the core huly executable is required but not sourced or verified in the skill, so users are asked to hand API credentials to an effectively unverifiable local tool. This is not confirmed malware, but it is high security risk due to opaque binary trust and real-world mutation capabilities.