find-skills

SUSPICIOUS: The skill’s stated purpose matches its behavior, but that behavior is inherently high-trust because it installs other skills. Same-org CLI provenance reduces malware concern, yet the transitive installation model, unpinned `npx` execution, broad third-party git source support, global installs, and default telemetry make this a medium-high security risk.