find-skills

This wrapper’s own logic appears to be a legitimate orchestration and ranking tool: it primarily calls external CLIs, parses their output, and prints install hints. However, it introduces meaningful supply-chain/operational risk by executing a runtime dependency via `npx -y @nacos-group/cli` (un-pinned runtime fetch/execute) and it forwards Nacos secrets to that subprocess via command-line flags (potential exposure through process listings/logs). No explicit malware/payload behavior is present in this snippet, but the risk profile is elevated due to runtime npm execution and credential handling practices.

SUSPICIOUS: the stated purpose matches discovery/install, but the actual footprint is a high-risk transitive installer using a custom wrapper and registry path with unclear provenance. The main concern is not immediate malware but broad supply-chain and inherited-permission risk from installing unreviewed third-party skills.