akf-trust-metadata

SUSPICIOUS. The skill’s purpose and commands are internally coherent for a metadata/provenance tool, but install trust is not established: it asks users to install external pip/npm packages tied to an individual/community publisher without proof that the package names, website, and repo are all officially linked. No direct credential theft or exfiltration is shown, so this is not confirmed malware, but it carries medium supply-chain risk.