Skywork Document

SUSPICIOUS. The skill's main capabilities align with its stated purpose, but it routes user prompts, uploaded files, and auth tokens through bundled scripts to a third-party remote service, reads a cached token from the home directory, and has weaker-than-ideal distribution provenance if installed from the registry zip path. This is not clearly malicious, but it carries meaningful privacy, credential-handling, and trust risks beyond a purely local document tool.