agent-ui

This skill component appears to be a legitimate UI integration for agent-based chat with an expected requirement for an API key and a proxy SDK. The primary security concerns are supply-chain and data-exfiltration risks from transitive skill installation (npx skills add ...), client-side tools that can read form/DOM data, and dependence on a third-party SDK/proxy which may forward API keys or request payloads to external services (inference.sh, openrouter). There is no direct evidence of obfuscated or explicitly malicious code in the provided documentation fragment, but the install and transitive-install patterns and client-side tool capabilities raise moderate supply-chain and privacy risks. Reviewers should: (1) audit @inferencesh/sdk and any installed skills before use, (2) avoid granting client-side tools access to sensitive form fields or thoroughly sandbox/review them, and (3) verify where the proxy sends data and whether the API key is stored/forwarded by any third party.