ccpi-marketplace

This skill is coherent with its stated purpose, but it is higher risk than a normal documentation skill because its core action is installing external plugin packs/skills. The npm-based ccpi install path appears legitimate and consistent with public docs, so this is not strong evidence of malware; however, the transitive installation behavior and only partially verified publisher linkage make it suspicious enough to treat as medium risk.