react-grab

SUSPICIOUS. The stated purpose is coherent, but the install and execution trust story is weaker than it should be: the skill tells users to execute mutable remote package code (`npx ...@latest`), load runtime code from unpkg, and install broad agent integrations, while the key package name differs from the published project name. That is not enough to call it malicious, but it is enough to treat the skill as medium-to-high supply-chain risk until publisher/package ownership and script behavior are independently verified.