ai

SUSPICIOUS. The skill’s stated purpose is coherent for an AI SDK reference, and most capabilities are proportionate. The main risk is install/provenance inconsistency: the documented package name and import path do not match the cited open-source project docs, and the PyPI publisher does not clearly align with the Vercel branding used in the skill. That makes this a trust and supply-chain concern rather than confirmed malware. MCP examples and custom base_url support also widen data-flow risk, but they are plausibly in-scope for an SDK skill.