meihua-yishu

SUSPICIOUS. The core divination functionality is coherent, and its only package install is low-risk, but the Gemini integration is disproportionate in trust terms because it controls a live logged-in browser via Chrome DevTools Protocol instead of using a standard API. Data goes to official Google endpoints rather than a third-party proxy, so this is not confirmed malicious, but exposing remote debugging and reusing browser auth makes the skill medium risk.