huly-api

SUSPICIOUS. The skill’s core purpose matches Huly collaboration, but it grants an agent broad autonomous publishing behavior, forwards raw bearer tokens to a runtime-configured backend, and lets untrusted channel content influence later actions. No clear malware or hostile installer is present, yet the combination of token handling, configurable endpoints, and mandatory cross-surface posting creates meaningful security risk.