autoresearch

The skill as described aims to automate autonomous ML experimentation using a remote installer, forks, and an external AI service. There are clear inconsistencies and risks: (1) installation via curl|bash from an untrusted domain without verifiable signatures raises supply-chain and execution-trust concerns; (2) reliance on forks and non-official sources expands the attack surface and complicates provenance; (3) autonomous execution with no user prompts increases risk of unintended actions; (4) external AI service involvement introduces potential credential or data exposure to third parties. Overall, the footprint is only partially aligned with a benign developer tool; several patterns indicate elevated risk due to unverifiable binaries, external data flows, and autonomous execution. Treat as SUSPICIOUS with a securityRisk leaning toward high due to multiple vectors, and monitor for possibility of malicious use if credentials or sensitive data ever flow to external services.