Aixin

Before installing, consider these points: - Source and provenance: The skill's source is unknown. The README points at http://43.135.138.144 while SKILL.md insists the only API is https://aixin.chat; this mismatch is suspicious. Ask the author which host is authoritative and why an IP is present in the README. - Credentials and storage: The skill stores your password and JWT token in plaintext at ~/.aixin/profile.json. If you care about credential safety, do not use real or privileged passwords — use throwaway/test credentials or decline to install until storage is secured (e.g., use OS keyring, encrypt on disk, or avoid storing the password). - Redirect risk via env var: The code honors an AIXIN_SERVER environment variable. An attacker or misconfiguration could redirect all API traffic to a malicious endpoint. Only run if you trust the environment and host, or sandbox the skill. - Raw JSON display and message contents: The skill is designed to show raw JSON responses (including message contents). That could leak private messages or system prompts. Expect data to flow to the network host and be visible in responses. - Actionable next steps: Request clarification from the maintainer about the conflicting backend addresses and why the README lists a raw IP. Ask them to stop storing plaintext passwords (use secure storage) or to make local storage optional/clearly declared. If you must try it, test in a controlled environment with non-sensitive credentials and inspect network traffic (hostnames, destinations). If the author provides a consistent, verifiable source (official homepage or signed repository), removes plaintext password persistence (or uses secure storage), and documents the storage path and env-var behavior, this assessment could be revised toward benign.