cometchat-features

SUSPICIOUS. The feature-enablement purpose mostly matches the described actions, and the calls SDK install appears same-org and normal. However, the skill’s main workflow depends on an unverified `@cometchat/skills-cli` that reads keychain tokens, calls backend APIs, and edits project files; combined with MCP installation instructions, that creates a disproportionate trust and credential-forwarding risk.