install-nodejs-22

The skill aligns reasonably with its stated purpose of setting up a Node.js development environment by installing fnm, Node.js 22, and pnpm across platforms. However, there are notable supply-chain and verification gaps: downloads are performed without explicit signature checks or pinned hashes, and there is reliance on external binaries obtained via curl. Privilege elevation is involved for corepack enabling, which is standard but should be exposed clearly to the user. Given the combination of legitimate tooling installation and these verification gaps, the footprint is suspicious but not definitively malicious. It should be treated as a benign capability with elevated risk due to potential supply-chain weaknesses unless proper verification steps (checksums/signatures, pinned versions, and trusted sources) are added.