cliproxy-manager

Functionally, the skill's declared capabilities match its purpose: managing CLIProxyAPI configuration and reading status/usage. The primary security concerns are operational — the skill requires high-value secrets (management key) and provides write access that can change API keys and routing. The documentation encourages practices that increase exposure risk (accepting plaintext keys, CLI args, storing backups in /tmp) and lacks constraints around network endpoints and TLS. No concrete evidence of embedded malware or obfuscated malicious code is present in the provided text, but the ability to change persisted configuration and upload new keys makes this a high-impact capability if misused or if the helper script forwards keys to untrusted endpoints. Recommend careful implementation review of cliproxy_api.py, enforce secure handling of secrets (avoid CLI arg secrets, prefer secure stdin or OS key stores, avoid /tmp, enforce TLS and host whitelists), audit logs to ensure secrets are never recorded, and restrict the management API to localhost or private network unless strong authentication and auditing are in place.