validate-address

SUSPICIOUS: The stated capability is appropriate for the skill, and no credential or exfiltration behavior is described. However, the skill relies on an unverified, unpinned `npx` package for a task that claims to be offline; this creates a disproportionate supply-chain trust risk even without evidence of confirmed malicious behavior.