find-skills

SUSPICIOUS: The stated purpose matches discovery, but the skill goes further by instructing the agent to install other skills, creating a transitive trust chain. The CLI appears to be official and same-org, which lowers pure malware concern, but the undocumented `install-skill.sh` path and broad third-party skill sources make this a meaningful supply-chain risk.