HokiPoki

The skill is classified as suspicious due to its inherent high-risk capabilities, despite attempts at transparency and stated security measures. It instructs the AI agent to install a global npm package (`@next-halo/hokipoki-cli`), which introduces a supply chain risk. More significantly, it enables the agent to send entire local projects (`--all` flag in `hokipoki request`) to external AI models, which constitutes a broad data exfiltration risk of potentially sensitive code. Furthermore, it allows the local machine to act as a 'provider' (`hokipoki listen`), executing external AI tasks in Docker containers, which changes the security posture of the host machine. While these actions are aligned with the skill's stated purpose, they represent significant security risks without clear malicious intent within the provided files.