kimi

SUSPICIOUS. The skill’s main behavior matches its stated purpose, and upstream Kimi CLI provenance is reasonably verifiable through official MoonshotAI channels and package registries. However, it adds meaningful risk by relying on the x-cmd wrapper auto-install path and by encouraging YOLO auto-approval, which can let an AI coding agent execute actions with reduced user oversight. No clear credential theft, covert exfiltration, or incompatible capability was shown.