GraphQL Schema Explorer

Suspicious rather than malicious. The core concern is transitive installation from `agentskillexchange/skills` while the skill is branded around `graphql/graphql-js`, creating an external trust chain not clearly tied to the cited upstream project. No direct credential theft or hostile data routing is shown, but the provenance mismatch and skill-to-skill installation make this a medium-risk AI agent skill.