us-kline

SUSPICIOUS. The stated purpose is plausible, but the actual data flow is not trustworthy: all requests are forced to an unverifiable private service on a raw IP over plain HTTP, with a hardcoded API key embedded in the skill. The local install step is benign, but the runtime network and credential handling create high security risk and weak data-flow integrity.