voice-skill

SUSPICIOUS. The skill’s core purpose is coherent, and the PyPI package has credible same-project provenance, so this is not confirmed malware. But the install-name mismatch, unpinned source install option, reliance on an undisclosed third party (LocalTunnel), and external transmission of project context during calls make the footprint less transparent than advertised and raise medium security risk.