use-findskill

SUSPICIOUS: the skill’s stated purpose matches its behavior, but that behavior is high-risk because it teaches the agent to install and trust additional third-party skills. npm-based installation is more legitimate than raw download-execute, yet unpinned package execution, community/unverified skill content, and the `FINDSKILL_API` override create a significant transitive supply-chain and prompt-injection risk.