atxp

This skill appears to be a standard CLI and client wrapper for accessing ATXP's paid API endpoints. Its capabilities align with its stated purpose: it requires an ATXP_CONNECTION credential and routes requests to ATXP MCP servers. The primary supply-chain and security considerations are: (1) npx usage causes runtime download-and-execute from npm (transitive install risk) and the documentation does not show pinned versions or integrity checks, and (2) a sensitive credential is stored locally and forwarded to remote service endpoints — appropriate for API access but high-value if compromised. I find no direct indicators of malware, hidden exfiltration endpoints, or instructions to read unrelated sensitive files. Overall risk is moderate due to the standard supply-chain vector (npx) and credential forwarding; use only if you trust the ATXP npm publisher and their servers, and consider pinning versions or auditing the package code before running.