facts-discover

SUSPICIOUS: The skill’s purpose is coherent and mostly local, with no credential harvesting or external data exfiltration. However, its core workflow relies on an undocumented `facts` CLI whose provenance cannot be verified from the skill, creating a significant supply-chain trust gap. The overall footprint fits the stated purpose, but the missing trust chain for the required executable makes the skill medium-high risk rather than benign.