mcporter

SUSPICIOUS: the npm install source is coherent and likely official, but the skill's runtime footprint is broad. It can execute arbitrary stdio commands, connect to arbitrary MCP endpoints, and forward credentials/headers to those targets, creating meaningful command-execution and credential-relay risk that is only partly constrained by the stated purpose.