groove-admin-install

SUSPICIOUS: the skill’s local setup behavior is broadly consistent with its stated bootstrap purpose, but it materially expands trust by installing multiple external skills through `npx skills add`, including third-party GitHub sources. There is no clear credential theft or exfiltration, so this is not malicious, but the transitive install and supply-chain footprint make it medium/high risk.