puff

SUSPICIOUS: the skill’s purpose and capabilities mostly align, but its core execution path relies on a personal third-party `puff` CLI rather than official OpenAI tooling. There is no clear evidence of credential theft or proxy exfiltration, yet the install trust model and authenticated wrapper behavior create medium security risk.