browser-testing-with-devtools

SUSPICIOUS. The skill’s purpose and capabilities are largely coherent and it includes strong safety boundaries against browser-content prompt injection and credential access. The main issue is install trust: the documented `npx @anthropic/chrome-devtools-mcp@latest` does not match the official ChromeDevTools package name found in public docs, and it is unpinned runtime execution. That mismatch makes provenance uncertain and elevates risk, but there is no evidence of credential harvesting, exfiltration, or malicious intent in the skill itself.