hokipoki

SUSPICIOUS. The skill's purpose and capabilities are broadly aligned, but its footprint is high-risk: it sends local code and prompts through a third-party HokiPoki network, can auto-apply remote AI patches, and enables provider/listener mode for remote task handling. This is not confirmed malware, but it creates meaningful data exposure and trust-boundary risks that are disproportionate for a simple "switch models" workflow.