octocode-researcher

SUSPICIOUS: the skill’s purpose mostly matches its research capabilities, but it combines unpinned `npx` execution of a third-party MCP server with broad ingestion of untrusted external content and local write/clone capabilities. This looks more like a high-risk research automation skill than malware; the main concerns are supply-chain trust and indirect prompt-injection exposure, not overt credential theft or exfiltration.