alapi

SUSPICIOUS. The core purpose and official API destination are coherent, but the skill's credential workflow is not: it directs users to obtain/manage tokens through a third-party Apifox page instead of ALAPI's own documented console, asks the user to send the token back to the agent, and persists it in plaintext shell startup files. There is no strong evidence of malware or malicious exfiltration, but the token-handling and acquisition path are inconsistent enough to raise medium security concern.