spark

SUSPICIOUS. The skill’s stated purpose is coherent, but its implementation relies on unverifiable bundled binaries, and one of them receives an API key despite not matching Tavily’s documented official integration path. The main concern is install/execution trust and credential forwarding to opaque local code, not overt malicious behavior.