Xiabb

What to consider before installing: - Metadata mismatch: the registry did not declare required environment variables, but SKILL.md requires a GEMINI API key (GEMINI_API_KEY or ~/.api-key). Expect to provide that key for the app to work. - High‑privilege behavior: the app needs macOS Accessibility permissions (global key capture) and performs text injection (AXUIElement or simulated paste). Granting Accessibility lets the app observe/affect other apps — only proceed if you trust the source and code. - Inspect install/uninstall scripts: the package includes install.sh, native build scripts, and uninstall.sh. Review these scripts before running them for unsafe operations (e.g., dangerous rm -rf usage, writing files to system locations, or invoking remote code). Build from source yourself if possible. - API key handling: ensure the key is not embedded in URLs or logs. Prefer storing credentials in the OS keychain rather than plaintext files; confirm the code sends the key in HTTP headers (not query strings). - Verify provenance: the SKILL.md points to a GitHub repository and releases — check that repository (commits, stars, issues, author identity) and verify the distributed binary is notarized by Apple if you plan to run the prebuilt release. - Test safely: if you want to try it, run it in a controlled environment first (dedicated test macOS account or VM), and monitor network traffic to confirm it only talks to expected endpoints (Google Gemini endpoints and GitHub). - If you lack the ability to audit code, prefer not to grant Accessibility or run install scripts; consider using an alternative vetted solution. Confidence notes: the assessment is based on the included SKILL.md and repository files; no automated scan flags were provided. The issues found (metadata mismatch, API key handling, and shell scripts) could be legitimate design choices or sloppy packaging; that ambiguity is why the verdict is "suspicious" rather than "benign".