ai-sdk

[Skill Scanner] Installation of third-party script detected No direct malicious code or obfuscated payloads are present. The skill is primarily documentation and local-doc lookup guidance for the 'ai' SDK. The main security concern is the explicit recommendation and example that routes model discovery/use through the Vercel AI Gateway (ai-gateway.vercel.sh). That increases supply-chain and privacy exposure because model selection and potentially subsequent API usage could be proxied through a third-party service. I rate this as not malicious but having a moderate security risk due to default third-party routing and lack of explicit guidance on credential handling and privacy implications. LLM verification: Not malware. The skill is a documentation/instruction artifact that plausibly supports developer workflows for the 'ai' SDK. No hard-coded secrets, obfuscated code, or direct exfiltration routines were found. The primary risks are supply-chain (unverified package installs) and privacy/network routing (defaulting to the Vercel AI Gateway and providing a curl example). Treat those as moderate security concerns: verify packages before install, and explicitly evaluate and document the privacy/creden