varg-ai

SUSPICIOUS. The core media-generation behavior and official varg.ai data flows are coherent with the stated purpose, so this does not look like outright malware. Risk comes from direct credential-file handling, writing secrets into .env, remote version checking plus transitive npx skill updates, and the ability to initiate billing checkout flows using an OTP-derived access token.