Mu Pet

What to consider before installing: - This installs a local Electron app in your home directory and runs npm install, which will fetch packages (electron, express) from npm and run any package install scripts — common for Node apps but a vector for supply-chain risk. Only proceed if you trust the skill source. - The installer writes a LaunchAgent plist to ~/Library/LaunchAgents and loads it immediately so the pet auto-starts on login. The uninstall script removes this, but check the plist before allowing it to run. - The app uses osascript (AppleScript via child_process.execSync) to read the frontmost window's bounds. macOS may prompt you for Automation/Accessibility/Automation permissions when this runs. - The pet exposes an unauthenticated HTTP API on 127.0.0.1:18891. Any local process can call it to change the pet's state (show text bubbles, etc.). This is expected functionality but be aware of local access. - The Electron BrowserWindow is created with nodeIntegration: true and contextIsolation: false (renderer has Node privileges). This is typical for simple local Electron tools, but increases impact if the renderer could be fed untrusted content. In this package the UI is local files; still, be cautious about editing or enabling remote content. - If you want to be extra careful: inspect main.js/index.html yourself, run the app in a sandboxed environment first (or review npm install output), and verify the LaunchAgent plist path and ProgramArguments before loading it with launchctl. Overall: the skill appears coherent for a macOS desktop pet; the risks are operational (npm install, LaunchAgent persistence, local unauthenticated API) rather than indicators of hidden malicious intent.