nano-generate-qr

SUSPICIOUS: the core QR function is benign, but the skill mixes that simple purpose with unpinned remote package execution and broader wallet/receive workflows. Main risk is supply-chain trust and scope creep, not confirmed malware or credential theft.