langsmith-evaluator

The skill’s stated purpose (evaluations via LangSmith with Python/TypeScript examples and CLI tooling) is coherent with its described capabilities. However, there is a notable security concern: the installation path relies on downloading and executing a script from a public GitHub URL (curl ... | sh), which introduces an unverifiable supply-chain risk. Credentials are required (LangSmith API key and OpenAI key), which is standard for this domain but increases risk if not properly protected. The data flows to LangSmith/OpenAI are expected for evaluation tasks but rely on secure handling of keys and minimal exposure in logs. Overall, the footprint is suspicious but not malicious by intent; in the absence of verified signatures/checksums for the installer, it should be treated as SUSPICIOUS with recommended mitigations (pin/install from verified releases, verify checksums, limit environment exposure, review the installer script, and use official registries where possible).