claw-code-harness

SUSPICIOUS. The skill’s capabilities mostly match its stated purpose and it does not request unusual credentials or route data to third-party APIs, but install trust is weaker than it should be: the skill is published by ara.so while code is sourced from an unlinked instructkr GitHub repo with no releases/package distribution, and it recommends source checkout plus optional dependency install. The official rustup curl|sh step adds low-to-medium supply-chain risk but does not appear malicious on its own.