deliverable-upgrade

This skill’s capabilities mostly match its stated purpose: it upgrades the 'deliverable' skill and shows changes. The main risk is supply-chain and transitive trust: it pulls mutable remote content from GitHub and can invoke 'npx skills add' to install/update skill code without pinning or verification. That is suspicious but not malicious; there is no credential harvesting, hidden exfiltration, or unrelated access.