paperclip

SUSPICIOUS. The skill’s stated purpose is coherent, but its install and execution footprint is not: it directs users to a CLI name, repo, and curl|bash installer that do not match the verified official Paperclip publisher evidence. Because the skill then supplies a Paperclip API key to that third-party CLI, the main risk is credential forwarding through an unverified supply chain rather than overt malicious behavior.