article-to-cover

The skill’s file access and workflow are broadly consistent with a poster-design assistant, and there is no clear credential harvesting or explicit exfiltration path in the visible instructions. However, it requires and executes an opaque local meitu-ai runner whose provenance and official distribution cannot be verified from the evidence, so the skill is best classified as SUSPICIOUS with high supply-chain risk rather than malicious.