openduck-distributed-duckdb

SUSPICIOUS: The skill's capabilities mostly match its distributed DuckDB purpose, but trust is weakened by a publisher/source mismatch, lack of verifiable release provenance, and the need to disable DuckDB extension signature checks. Data flows and token use are proportionate to the product, so this is not confirmed malware, but it carries meaningful supply-chain and execution-trust risk.