flomo-analysis-studio

SUSPICIOUS. The skill's stated purpose and note-access scope are coherent, but its core dependency `flomo-local-api` is not verifiably official or sourced from a trusted registry in the provided evidence. Because the skill depends on an unidentified executable that can access highly sensitive personal notes through the local desktop session, the main issue is high supply-chain/install-trust risk rather than confirmed malicious behavior.