local-llm-provider

This SKILL.md documents a local-LM provider that is functionally coherent: it expects local servers, uses local URLs, and optionally falls back to a cloud provider using an API key. The primary supply-chain risk is the recommended curl|bash installation for Ollama (download-and-execute). Additional risks stem from forwarding user prompts and potentially secrets to a cloud provider when fallback is enabled; the README exposes the configuration vectors but does not include safeguards about privacy, token handling, or explicit cloud endpoints. No explicit malicious code or backdoors are present in the documentation itself, but missing implementation files prevent a definitive claim that the skill behaves safely at runtime. Operators should avoid blindly running curl|bash, ensure cloud fallback is disabled if privacy is required, and review the actual provider implementation before use.